System and method for peer-to-peer media routing using a third party instant messaging system for signaling

ABSTRACT

An improved system and method are disclosed for peer-to-peer communications. In one example, the method enables an endpoint to engage in a call with another endpoint using a third party instant message system to carry instant messages containing signaling information and a route that is external to the third party instant message system for both signaling and media information.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a Continuation of U.S. patent application Ser. No.12/770,482, filed on Apr. 29, 2010, now U.S. Pat. No. 8,352,563, issuedJan. 8, 2013, and entitled SYSTEM AND METHOD FOR PEER-TO-PEER MEDIAROUTING USING A THIRD PARTY INSTANT MESSAGING SYSTEM FOR SIGNALING,which is incorporated herein by reference in its entirety.

INCORPORATION BY REFERENCE

Application Ser. No. 12/770,482 incorporates by reference in theirentirety U.S. Pat. No. 7,570,636, filed on Aug. 30, 2005, and entitledSYSTEM AND METHOD FOR TRAVERSING A NAT DEVICE FOR PEER-TO-PEER HYBRIDCOMMUNICATIONS, and U.S. patent application Ser. No. 12/705,925, filedon Feb. 15, 2010, and entitled SYSTEM AND METHOD FOR STRATEGIC ROUTINGIN A PEER-TO-PEER ENVIRONMENT.

BACKGROUND

Current packet-based communication networks may be generally dividedinto peer-to-peer networks and client/server networks. Traditionalpeer-to-peer networks support direct communication between variousendpoints without the use of an intermediary device (e.g., a host orserver). Each endpoint may initiate requests directly to other endpointsand respond to requests from other endpoints using credential andaddress information stored on each endpoint. However, becausetraditional peer-to-peer networks include the distribution and storageof endpoint information (e.g., addresses and credentials) throughout thenetwork on the various insecure endpoints, such networks inherently havean increased security risk. While a client/server model addresses thesecurity problem inherent in the peer-to-peer model by localizing thestorage of credentials and address information on a server, adisadvantage of client/server networks is that the server may be unableto adequately support the number of clients that are attempting tocommunicate with it. As all communications (even between two clients)must pass through the server, the server can rapidly become a bottleneckin the system.

Accordingly, what is needed are a system and method that addresses theseissues.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding, reference is now made to thefollowing description taken in conjunction with the accompanyingDrawings in which:

FIG. 1 is a simplified network diagram of one embodiment of a hybridpeer-to-peer system.

FIG. 2 a illustrates one embodiment of an access server architecturethat may be used within the system of FIG. 1.

FIG. 2 b illustrates one embodiment of an endpoint architecture that maybe used within the system of FIG. 1.

FIG. 2 c illustrates one embodiment of components within the endpointarchitecture of FIG. 2 b that may be used for cellular networkconnectivity.

FIG. 2 d illustrates a traditional softswitch configuration with twoendpoints.

FIG. 2 e illustrates a traditional softswitch configuration with threeendpoints and a media bridge.

FIG. 2 f illustrates one embodiment of the present disclosure with twoendpoints, each of which includes a softswitch.

FIG. 2 g illustrates one embodiment of the present disclosure with threeendpoints, each of which includes a softswitch.

FIG. 3 a is a sequence diagram illustrating the interaction of variouscomponents of FIG. 2 b when placing a call.

FIG. 3 b is a sequence diagram illustrating the interaction of variouscomponents of FIG. 2 b when receiving a call.

FIG. 4 is a sequence diagram illustrating an exemplary process by whichan endpoint of FIG. 1 may be authenticated and communicate with anotherendpoint.

FIG. 5 is a sequence diagram illustrating an exemplary process by whichan endpoint of FIG. 1 may determine the status of another endpoint.

FIG. 6 is a sequence diagram illustrating an exemplary process by whichan access server of FIG. 1 may aid an endpoint in establishingcommunications with another endpoint.

FIG. 7 is a sequence diagram illustrating an exemplary process by whichan endpoint of FIG. 1 may request that it be added to the buddy list ofanother endpoint that is currently online.

FIG. 8 is a sequence diagram illustrating an exemplary process by whichan endpoint of FIG. 1 may request that it be added to the buddy list ofanother endpoint that is currently offline.

FIG. 9 is a sequence diagram illustrating an exemplary process by whichan endpoint of FIG. 1 may request that it be added to the buddy list ofanother endpoint that is currently offline before it too goes offline.

FIG. 10 is a simplified diagram of another embodiment of a peer-to-peersystem that includes a stateless reflector that may aid an endpoint intraversing a NAT device to communicate with another endpoint.

FIG. 11 is a table illustrating various NAT types and illustrativeembodiments of processes that may be used to traverse each NAT typewithin the system of FIG. 10.

FIG. 12 is a sequence diagram illustrating one embodiment of a processfrom the table of FIG. 11 in greater detail.

FIG. 13 illustrates one embodiment of a modified packet that may be usedwithin the process of FIG. 12.

FIGS. 14-18 are sequence diagrams that each illustrate an embodiment ofa process from the table of FIG. 11 in greater detail.

FIGS. 19A and 19B are simplified diagrams of another embodiment of apeer-to-peer system that includes multiple possible routes betweenendpoints.

FIG. 20 is a sequence diagram illustrating one embodiment of a processthat may be executed by endpoints within the system of FIGS. 19A and19B.

FIG. 21 is a sequence diagram illustrating one embodiment of steps fromthe sequence diagram of FIG. 20 in greater detail.

FIG. 22 is a flow chart illustrating one embodiment of a method that maybe executed by an endpoint within the system of FIGS. 19A and 19B.

FIGS. 23A and 23B are simplified diagrams of another embodiment of apeer-to-peer system that includes a tunneling server and multiplepossible routes between endpoints.

FIG. 24 is a sequence diagram illustrating one embodiment of a processthat may be executed by endpoints within the system of FIGS. 23A and23B.

FIG. 25 is a simplified diagram of another embodiment of a peer-to-peerenvironment in which endpoints may engage in a call by exchangingsignaling information via a third party instant message system that isseparate from a peer-to-peer hybrid network and by exchanging mediainformation via one or more routes that are established via thepeer-to-peer hybrid network and outside of the third party instantmessage system.

FIG. 26A is a sequence diagram illustrating one embodiment of a messagesequence that may occur when two endpoints are communicating within theenvironment of FIG. 25.

FIG. 26B is a diagram illustrating one embodiment of state changes thatmay occur in a state machine that is in an endpoint within theenvironment of FIG. 25.

FIG. 27 is a flow chart illustrating one embodiment of a method that maybe executed by an endpoint requesting a call within the environment ofFIG. 25.

FIG. 28 is a flow chart illustrating one embodiment of a method that maybe executed by an endpoint receiving a call request within theenvironment of FIG. 25.

FIG. 29 is a simplified diagram of one embodiment of a computer systemthat may be used in embodiments of the present disclosure.

DETAILED DESCRIPTION

The present disclosure is directed to a system and method forpeer-to-peer hybrid communications. It is understood that the followingdisclosure provides many different embodiments or examples. Specificexamples of components and arrangements are described below to simplifythe present disclosure. These are, of course, merely examples and arenot intended to be limiting. In addition, the present disclosure mayrepeat reference numerals and/or letters in the various examples. Thisrepetition is for the purpose of simplicity and clarity and does not initself dictate a relationship between the various embodiments and/orconfigurations discussed.

Referring to FIG. 1, one embodiment of a peer-to-peer hybrid system 100is illustrated. The system 100 includes an access server 102 that iscoupled to endpoints 104 and 106 via a packet network 108. Communicationbetween the access server 102, endpoint 104, and endpoint 106 isaccomplished using predefined and publicly available (i.e.,non-proprietary) communication standards or protocols (e.g., thosedefined by the Internet Engineering Task Force (IETF) or theInternational Telecommunications Union-Telecommunications StandardSector (ITU-T)). For example, signaling communications (e.g., sessionsetup, management, and teardown) may use a protocol such as the SessionInitiation Protocol (SIP), while actual data traffic may be communicatedusing a protocol such as the Real-time Transport Protocol (RTP). As willbe seen in the following examples, the use of standard protocols forcommunication enables the endpoints 104 and 106 to communicate with anydevice that uses the same standards. The communications may include, butare not limited to, voice calls, instant messages, audio and video,emails, and any other type of resource transfer, where a resourcerepresents any digital data. In the following description, media trafficis generally based on the user datagram protocol (UDP), whileauthentication is based on the transmission control protocol/internetprotocol (TCP/IP). However, it is understood that these are used forpurposes of example and that other protocols may be used in addition toor instead of UDP and TCP/IP.

Connections between the access server 102, endpoint 104, and endpoint106 may include wireline and/or wireless communication channels. In thefollowing description, it is understood that the term “direct” meansthat there is no endpoint or access server in the communicationchannel(s) between the endpoints 104 and 106, or between either endpointand the access server. Accordingly, the access server 102, endpoint 104,and endpoint 106 are directly connected even if other devices (e.g.,routers, firewalls, and other network elements) are positioned betweenthem. In addition, connections to endpoints, locations, or services maybe subscription based, with an endpoint only having access if theendpoint has a current subscription. Furthermore, the followingdescription may use the terms “user” and “endpoint” interchangeably,although it is understood that a user may be using any of a plurality ofendpoints. Accordingly, if an endpoint logs in to the network, it isunderstood that the user is logging in via the endpoint and that theendpoint represents the user on the network using the user's identity.

The access server 102 stores profile information for a user, a sessiontable to track what users are currently online, and a routing table thatmatches the address of an endpoint to each online user. The profileinformation includes a “buddy list” for each user that identifies otherusers (“buddies”) that have previously agreed to communicate with theuser. Online users on the buddy list will show up when a user logs in,and buddies who log in later will directly notify the user that they areonline (as described with respect to FIG. 4). The access server 102provides the relevant profile information and routing table to each ofthe endpoints 104 and 106 so that the endpoints can communicate directlywith one another. Accordingly, in the present embodiment, one functionof the access server 102 is to serve as a storage location forinformation needed by an endpoint in order to communicate with otherendpoints and as a temporary storage location for requests, voicemails,etc., as will be described later in greater detail.

With additional reference to FIG. 2 a, one embodiment of an architecture200 for the access server 102 of FIG. 1 is illustrated. The architecture200 includes functionality that may be provided by hardware and/orsoftware, and that may be combined into a single hardware platform ordistributed among multiple hardware platforms. For purposes ofillustration, the access server in the following examples is describedas a single device, but it is understood that the term applies equallyto any type of environment (including a distributed environment) inwhich at least a portion of the functionality attributed to the accessserver is present.

In the present example, the architecture includes web services 202(e.g., based on functionality provided by XML, SOAP, .NET, MONO), webserver 204 (using, for example, Apache or IIS), and database 206 (using,for example, mySQL or SQLServer) for storing and retrieving routingtables 208, profiles 210, and one or more session tables 212.Functionality for a STUN (Simple Traversal of UDP through NATs (NetworkAddress Translation)) server 214 is also present in the architecture200. As is known, STUN is a protocol for assisting devices that arebehind a NAT firewall or router with their packet routing. Thearchitecture 200 may also include a redirect server 216 for handlingrequests originating outside of the system 100. One or both of the STUNserver 214 and redirect server 216 may be incorporated into the accessserver 102 or may be a standalone device. In the present embodiment,both the server 204 and the redirect server 216 are coupled to thedatabase 206.

Referring to FIG. 2 b, one embodiment of an architecture 250 for theendpoint 104 (which may be similar or identical to the endpoint 106) ofFIG. 1 is illustrated. It is understood that that term “endpoint” mayrefer to many different devices having some or all of the describedfunctionality, including a computer, a VoIP telephone, a personaldigital assistant, a cellular phone, or any other device having an IPstack upon which the needed protocols may be run. Such devices generallyinclude a network interface, a controller coupled to the networkinterface, a memory coupled to the controller, and instructionsexecutable by the controller and stored in the memory for performing thefunctions described in the present application. Data needed by anendpoint may also be stored in the memory. The architecture 250 includesan endpoint engine 252 positioned between a graphical user interface(GUI) 254 and an operating system 256. The GUI 254 provides user accessto the endpoint engine 252, while the operating system 256 providesunderlying functionality, as is known to those of skill in the art.

The endpoint engine 252 may include multiple components and layers thatsupport the functionality required to perform the operations of theendpoint 104. For example, the endpoint engine 252 includes a softswitch258, a management layer 260, an encryption/decryption module 262, afeature layer 264, a protocol layer 266, a speech-to-text engine 268, atext-to-speech engine 270, a language conversion engine 272, anout-of-network connectivity module 274, a connection from other networksmodule 276, a p-commerce (e.g., peer commerce) engine 278 that includesa p-commerce agent and a p-commerce broker, and a cellular networkinterface module 280.

Each of these components/layers may be further divided into multiplemodules. For example, the softswitch 258 includes a call control module,an instant messaging (IM) control module, a resource control module, aCALEA (Communications Assistance to Law Enforcement Act) agent, a mediacontrol module, a peer control module, a signaling agent, a fax controlmodule, and a routing module.

The management layer 260 includes modules for presence (i.e., networkpresence), peer management (detecting peers and notifying peers of beingonline), firewall management (navigation and management), mediamanagement, resource management, profile management, authentication,roaming, fax management, and media playback/recording management.

The encryption/decryption module 262 provides encryption for outgoingpackets and decryption for incoming packets. In the present example, theencryption/decryption module 262 provides application level encryptionat the source, rather than at the network. However, it is understoodthat the encryption/decryption module 262 may provide encryption at thenetwork in some embodiments.

The feature layer 264 provides support for various features such asvoice, video, IM, data, voicemail, file transfer, file sharing, class 5features, short message service (SMS), interactive voice response (IVR),faxes, and other resources. The protocol layer 266 includes protocolssupported by the endpoint, including SIP, HTTP, HTTPS, STUN, RTP, SRTP,and ICMP. It is understood that these are examples only, and that feweror more protocols may be supported.

The speech-to-text engine 268 converts speech received by the endpoint(e.g., via a microphone or network) into text, the text-to-speech engine270 converts text received by the endpoint into speech (e.g., for outputvia a speaker), and the language conversion engine 272 may be configuredto convert inbound or outbound information (text or speech) from onelanguage to another language. The out-of-network connectivity module 274may be used to handle connections between the endpoint and externaldevices (as described with respect to FIG. 12), and the connection fromother networks module 276 handles incoming connection attempts fromexternal devices. The cellular network interface module 280 may be usedto interact with a wireless network.

With additional reference to FIG. 2 c, the cellular network interfacemodule 280 is illustrated in greater detail. Although not shown in FIG.2 b, the softswitch 258 of the endpoint architecture 250 includes acellular network interface for communication with the cellular networkinterface module 280. In addition, the cellular network interface module280 includes various components such as a call control module, asignaling agent, a media manager, a protocol stack, and a deviceinterface. It is noted that these components may correspond to layerswithin the endpoint architecture 250 and may be incorporated directlyinto the endpoint architecture in some embodiments.

Referring to FIG. 2 d, a traditional softswitch architecture isillustrated with two endpoints 282 and 284, neither of which includes asoftswitch. In the present example, an external softswitch 286 maintainsa first signaling leg (dotted line) with the endpoint 282 and a secondsignaling leg (dotted line) with the endpoint 284. The softswitch 286links the two legs to pass signaling information between the endpoints282 and 284. Media traffic (solid lines) may be transferred between theendpoints 282 and 284 via a media gateway 287.

With additional reference to FIG. 2 e, the traditional softswitcharchitecture of FIG. 2 d is illustrated with a third endpoint 288 thatalso does not include a softswitch. The external softswitch 286 nowmaintains a third signaling leg (dotted line) with the endpoint 288. Inthe present example, a conference call is underway. However, as none ofthe endpoints includes a softswitch, a media bridge 290 connected toeach endpoint is needed for media traffic. Accordingly, each endpointhas at most two concurrent connections—one with the softswitch forsignaling and another with the media bridge for media traffic.

Referring to FIG. 2 f, in one embodiment, unlike the traditionalarchitecture of FIGS. 2 d and 2 e, two endpoints (e.g., the endpoints104 and 106 of FIG. 1) each include a softswitch (e.g., the softswitch258 of FIG. 2 b). Each endpoint is able to establish and maintain bothsignaling and media traffic connections (both virtual and physical legs)with the other endpoint. Accordingly, no external softswitch is needed,as this model uses a distributed softswitch method to handlecommunications directly between the endpoints.

With additional reference to FIG. 2 g, the endpoints 104 and 106 areillustrated with another endpoint 292 that also contains a softswitch.In this example, a conference call is underway with the endpoint 104acting as the host. To accomplish this, the softswitch contained in theendpoint 104 enables the endpoint 104 to support direct signaling andmedia traffic connections with the endpoint 292. The endpoint 104 canthen forward media traffic from the endpoint 106 to the endpoint 292 andvice versa. Accordingly, the endpoint 104 may support multipleconnections to multiple endpoints and, as in FIG. 2 f, no externalsoftswitch is needed.

Referring again to FIG. 2 b, in operation, the softswitch 258 usesfunctionality provided by underlying layers to handle connections withother endpoints and the access server 102, and to handle services neededby the endpoint 104. For example, as is described below in greaterdetail with respect to FIGS. 3 a and 3 b, incoming and outgoing callsmay utilize multiple components within the endpoint architecture 250.

Referring to FIG. 3 a, a sequence diagram 300 illustrates an exemplaryprocess by which the endpoint 104 may initiate a call to the endpoint106 using various components of the architecture 250. Prior to step 302,a user (not shown) initiates a call via the GUI 254. In step 302, theGUI 254 passes a message to the call control module (of the softswitch258) to make the call. The call control module contacts the peer controlmodule (softswitch 258) in step 304, which detects the peer (if notalready done), goes to the routing table (softswitch 258) for therouting information, and performs similar operations. It is understoodthat not all interactions are illustrated. For example, the peer controlmodule may utilize the peer management module (of the management layer260) for the peer detection. The call control module then identifies aroute for the call in step 306, and sends message to the SIP protocollayer (of the protocol layer 266) to make the call in step 308. In step310, the outbound message is encrypted (using the encryption/decryptionmodule 262) and the message is sent to the network via the OS 256 instep 312.

After the message is sent and prior to receiving a response, the callcontrol module instructs the media control module (softswitch 258) toestablish the needed near-end media in step 314. The media controlmodule passes the instruction to the media manager (of the managementlayer 260) in step 316, which handles the establishment of the near-endmedia.

With additional reference to FIG. 3 b, the message sent by the endpoint104 in step 312 (FIG. 3 a) is received by the endpoint 106 and passedfrom the OS to the SIP protocol layer in step 352. The message isdecrypted in step 354 and the call is offered to the call control modulein step 356. The call control module notifies the GUI of an incomingcall in step 358 and the GUI receives input identifying whether the callis accepted or rejected (e.g., by a user) in step 360. In the presentexample, the call is accepted and the GUI passes the acceptance to thecall control module in step 362. The call control module contacts thepeer control module in step 364, which identifies a route to the callingendpoint and returns the route to the call control module in step 366.In steps 368 and 370, the call control module informs the SIP protocollayer that the call has been accepted and the message is encrypted usingthe encryption/decryption module. The acceptance message is then sent tothe network via the OS in step 372.

In the present example, after the call control module passes theacceptance message to the SIP protocol layer, other steps may occur toprepare the endpoint 106 for the call. For example, the call controlmodule instructs the media control module to establish near-end media instep 374, and the media control module instructs the media manager tostart listening to incoming media in step 376. The call control modulealso instructs the media control module to establish far-end media (step378), and the media control module instructs the media manager to starttransmitting audio in step 380.

Returning to FIG. 3 a, the message sent by the endpoint 106 (step 372)is received by the OS and passed on to the SIP protocol layer in step318 and decrypted in step 320. The message (indicating that the call hasbeen accepted) is passed to the call control module in step 322 and fromthere to the GUI in step 324. The call control module then instructs themedia control module to establish far-end media in step 326, and themedia control module instructs the media manager to start transmittingaudio in step 328.

The following figures are sequence diagrams that illustrate variousexemplary functions and operations by which the access server 102 andthe endpoints 104 and 106 may communicate. It is understood that thesediagrams are not exhaustive and that various steps may be excluded fromthe diagrams to clarify the aspect being described.

Referring to FIG. 4 (and using the endpoint 104 as an example), asequence diagram 400 illustrates an exemplary process by which theendpoint 104 may authenticate with the access server 102 and thencommunicate with the endpoint 106. As will be described, afterauthentication, all communication (both signaling and media traffic)between the endpoints 104 and 106 occurs directly without anyintervention by the access server 102. In the present example, it isunderstood that neither endpoint is online at the beginning of thesequence, and that the endpoints 104 and 106 are “buddies.” As describedabove, buddies are endpoints that have both previously agreed tocommunicate with one another.

In step 402, the endpoint 104 sends a registration and/or authenticationrequest message to the access server 102. If the endpoint 104 is notregistered with the access server 102, the access server will receivethe registration request (e.g., user ID, password, and email address)and will create a profile for the endpoint (not shown). The user ID andpassword will then be used to authenticate the endpoint 104 during laterlogins. It is understood that the user ID and password may enable theuser to authenticate from any endpoint, rather than only the endpoint104.

Upon authentication, the access server 102 updates a session tableresiding on the server to indicate that the user ID currently associatedwith the endpoint 104 is online. The access server 102 also retrieves abuddy list associated with the user ID currently used by the endpoint104 and identifies which of the buddies (if any) are online using thesession table. As the endpoint 106 is currently offline, the buddy listwill reflect this status. The access server 102 then sends the profileinformation (e.g., the buddy list) and a routing table to the endpoint104 in step 404. The routing table contains address information foronline members of the buddy list. It is understood that steps 402 and404 represent a make and break connection that is broken after theendpoint 104 receives the profile information and routing table.

In steps 406 and 408, the endpoint 106 and access server 102 repeatsteps 402 and 404 as described for the endpoint 104. However, becausethe endpoint 104 is online when the endpoint 106 is authenticated, theprofile information sent to the endpoint 106 will reflect the onlinestatus of the endpoint 104 and the routing table will identify how todirectly contact it. Accordingly, in step 410, the endpoint 106 sends amessage directly to the endpoint 104 to notify the endpoint 104 that theendpoint 106 is now online. This also provides the endpoint 104 with theaddress information needed to communicate directly with the endpoint106. In step 412, one or more communication sessions may be establisheddirectly between the endpoints 104 and 106.

Referring to FIG. 5, a sequence diagram 500 illustrates an exemplaryprocess by which authentication of an endpoint (e.g., the endpoint 104)may occur. In addition, after authentication, the endpoint 104 maydetermine whether it can communicate with the endpoint 106. In thepresent example, the endpoint 106 is online when the sequence begins.

In step 502, the endpoint 104 sends a request to the STUN server 214 ofFIG. 2. As is known, the STUN server determines an outbound IP address(e.g., the external address of a device (i.e., a firewall, router, etc.)behind which the endpoint 104 is located), an external port, and a typeof NAT used by the device. The type of NAT may be, for example, fullcone, restricted cone, port restricted cone, or symmetric, each of whichis discussed later in greater detail with respect to FIG. 10. The STUNserver 214 sends a STUN response back to the endpoint 104 in step 504with the collected information about the endpoint 104.

In step 506, the endpoint 104 sends an authentication request to theaccess server 102. The request contains the information about endpoint104 received from the STUN server 214. In step 508, the access server102 responds to the request by sending the relevant profile and routingtable to the endpoint 104. The profile contains the external IP address,port, and NAT type for each of the buddies that are online.

In step 510, the endpoint 104 sends a message to notify the endpoint 106of its online status (as the endpoint 106 is already online) and, instep 512, the endpoint 104 waits for a response. After the expiration ofa timeout period within which no response is received from the endpoint106, the endpoint 104 will change the status of the endpoint 106 from“online” (as indicated by the downloaded profile information) to“unreachable.” The status of a buddy may be indicated on a visual buddylist by the color of an icon associated with each buddy. For example,when logging in, online buddies may be denoted by a blue icon andoffline buddies may be denoted by a red icon. If a response to a notifymessage is received for a buddy, the icon representing that buddy may bechanged from blue to green to denote the buddy's online status. If noresponse is received, the icon remains blue to indicate that the buddyis unreachable. Although not shown, a message sent from the endpoint 106and received by the endpoint 104 after step 514 would indicate that theendpoint 106 is now reachable and would cause the endpoint 104 to changethe status of the endpoint 106 to online. Similarly, if the endpoint 104later sends a message to the endpoint 106 and receives a response, thenthe endpoint 104 would change the status of the endpoint 106 to online.

It is understood that other embodiments may implement alternate NATtraversal techniques. For example, a single payload technique may beused in which TCP/IP packets are used to traverse a UDP restrictedfirewall or router. Another example includes the use of a double payloadin which a UDP packet is inserted into a TCP/IP packet. Furthermore, itis understood that protocols other than STUN may be used. For example,protocols such as Internet Connectivity Establishment (ICE) or TraversalUsing Relay NAT (TURN) may be used.

Referring to FIG. 6, a sequence diagram 600 illustrates an exemplaryprocess by which the access server 102 may aid the endpoint 104 inestablishing communications with the endpoint 106 (which is a buddy).After rendering aid, the access server 102 is no longer involved and theendpoints may communicate directly. In the present example, the endpoint106 is behind a NAT device that will only let a message in (towards theendpoint 106) if the endpoint 106 has sent a message out. Unless thisprocess is bypassed, the endpoint 104 will be unable to connect to theendpoint 106. For example, the endpoint 104 will be unable to notify theendpoint 106 that it is now online.

In step 602, the endpoint 106 sends a request to the STUN server 214 ofFIG. 2. As described previously, the STUN server determines an outboundIP address, an external port, and a type of NAT for the endpoint 106.The STUN server 214 sends a STUN response back to the endpoint 106 instep 604 with the collected information about the endpoint 106. In step606, the endpoint 106 sends an authentication request to the accessserver 102. The request contains the information about endpoint 106received from the STUN server 214. In step 608, the access server 102responds to the request by sending the relevant profile and routingtable to the endpoint 106. In the present example, the access server 102identifies the NAT type associated with the endpoint 106 as being a typethat requires an outbound packet to be sent before an inbound packet isallowed to enter. Accordingly, the access server 102 instructs theendpoint 106 to send periodic messages to the access server 102 toestablish and maintain a pinhole through the NAT device. For example,the endpoint 106 may send a message prior to the timeout period of theNAT device in order to reset the timeout period. In this manner, thepinhole may be kept open indefinitely.

In steps 612 and 614, the endpoint 104 sends a STUN request to the STUNserver 214 and the STUN server responds as previously described. In step616, the endpoint 104 sends an authentication request to the accessserver 102. The access server 102 retrieves the buddy list for theendpoint 104 and identifies the endpoint 106 as being associated with aNAT type that will block communications from the endpoint 104.Accordingly, in step 618, the access server 102 sends an assist messageto the endpoint 106. The assist message instructs the endpoint 106 tosend a message to the endpoint 104, which opens a pinhole in the NATdevice for the endpoint 104. For security purposes, as the access server102 has the STUN information for the endpoint 104, the pinhole opened bythe endpoint 106 may be specifically limited to the endpoint associatedwith the STUN information. Furthermore, the access server 102 may notrequest such a pinhole for an endpoint that is not on the buddy list ofthe endpoint 106.

The access server 104 sends the profile and routing table to theendpoint 104 in step 620. In step 622, the endpoint 106 sends a message(e.g., a ping packet) to the endpoint 104. The endpoint 104 may thenrespond to the message and notify the endpoint 106 that it is nowonline. If the endpoint 106 does not receive a reply from the endpoint104 within a predefined period of time, it may close the pinhole (whichmay occur simply by not sending another message and letting the pinholetime out). Accordingly, the difficulty presented by the NAT device maybe overcome using the assist message, and communications between the twoendpoints may then occur without intervention by the access server 102.

Referring to FIG. 7, a sequence diagram 700 illustrates an exemplaryprocess by which the endpoint 106 may request that it be added to theendpoint 104's buddy list. In the present example, the endpoints 104 and106 both remain online during the entire process.

In step 702, the endpoint 104 sends a registration and/or authenticationrequest message to the access server 102 as described previously. Uponauthentication, the access server 102 updates a session table residingon the server to indicate that the user ID currently associated with theendpoint 104 is online. The access server 102 also retrieves a buddylist associated with the user ID currently used by the endpoint 104 andidentifies which of the buddies (if any) are online using the sessiontable. As the endpoint 106 is not currently on the buddy list, it willnot be present. The access server 102 then sends the profile informationand a routing table to the endpoint 104 in step 704.

In steps 706 and 708, the endpoint 106 and access server 102 repeatsteps 702 and 704 as described for the endpoint 104. The profileinformation sent by the access server 102 to the endpoint 106 will notinclude the endpoint 104 because the two endpoints are not buddies.

In step 710, the endpoint 106 sends a message to the access server 102requesting that the endpoint 104 be added to its buddy list. The accessserver 102 determines that the endpoint 104 is online (e.g., using thesession table) in step 712 and sends the address for the endpoint 104 tothe endpoint 106 in step 714. In step 716, the endpoint 106 sends amessage directly to the endpoint 104 requesting that the endpoint 106 beadded to its buddy list. The endpoint 104 responds to the endpoint 106in step 718 with either permission or a denial, and the endpoint 104also updates the access server 102 with the response in step 720. Forexample, if the response grants permission, then the endpoint 104informs the access server 102 so that the access server can modify theprofile of both endpoints to reflect the new relationship. It isunderstood that various other actions may be taken. For example, if theendpoint 104 denies the request, then the access server 102 may notrespond to another request by the endpoint 106 (with respect to theendpoint 104) until a period of time has elapsed.

It is understood that many different operations may be performed withrespect to a buddy list. For example, buddies may be deleted,blocked/unblocked, buddy status may be updated, and a buddy profile maybe updated. For block/unblock, as well as status and profile updates, amessage is first sent to the access server 102 by the endpointrequesting the action (e.g., the endpoint 104). Following the accessserver 102 update, the endpoint 104 sends a message to the peer beingaffected by the action (e.g., the endpoint 106).

Buddy deletion may be handled as follows. If the user of the endpoint104 wants to delete a contact on a buddy list currently associated withthe online endpoint 106, the endpoint 104 will first notify the accessserver 102 that the buddy is being deleted. The access server 102 thenupdates the profile of both users so that neither buddy list shows theother user as a buddy. Note that, in this instance, a unilateral actionby one user will alter the profile of the other user. The endpoint 104then sends a message directly to the endpoint 106 to remove the buddy(the user of the endpoint 104) from the buddy list of the user ofendpoint 106 in real time. Accordingly, even though the user is onlineat endpoint 106, the user of the endpoint 104 will be removed from thebuddy list of the endpoint 106

Referring to FIG. 8, a sequence diagram 800 illustrates an exemplaryprocess by which the endpoint 106 may request that it be added to theendpoint 104's buddy list. In the present example, the endpoint 104 isnot online until after the endpoint 106 has made its request.

In step 802, the endpoint 106 sends a registration and/or authenticationrequest message to the access server 102 as described previously. Uponauthentication, the access server 102 updates a session table residingon the server to indicate that the user ID currently associated with theendpoint 106 is online. The access server 102 also retrieves a buddylist associated with the user ID currently used by the endpoint 106 andidentifies which of the buddies (if any) are online using the sessiontable. The access server 102 then sends the profile information and arouting table to the endpoint 106 in step 804.

In step 806, the endpoint 106 sends a message to the access server 102requesting that the endpoint 104 be added to its buddy list. The accessserver 102 determines that the endpoint 104 is offline in step 808 andtemporarily stores the request message in step 810. In steps 812 and814, the endpoint 104 and access server 102 repeat steps 802 and 804 asdescribed for the endpoint 106. However, when the access server 102sends the profile information and routing table to the endpoint 104, italso sends the request by the endpoint 106 (including addressinformation for the endpoint 106).

In step 816, the endpoint 104 responds directly to the endpoint 106 witheither permission or a denial. The endpoint 104 then updates the accessserver 102 with the result of the response in step 818 and alsoinstructs the access server to delete the temporarily stored request.

Referring to FIG. 9, a sequence diagram 900 illustrates an exemplaryprocess by which the endpoint 106 may request that it be added to theendpoint 104's buddy list. In the present example, the endpoint 104 isnot online until after the endpoint 106 has made its request, and theendpoint 106 is not online to receive the response by endpoint 104.

In step 902, the endpoint 106 sends a registration and/or authenticationrequest message to the access server 102 as described previously. Uponauthentication, the access server 102 updates a session table residingon the server to indicate that the user ID currently associated with theendpoint 106 is online. The access server 102 also retrieves a buddylist associated with the user ID currently used by the endpoint 106 andidentifies which of the buddies (if any) are online using the sessiontable. The access server 102 then sends the profile information and arouting table to the endpoint 106 in step 904.

In step 906, the endpoint 106 sends a message to the access server 102requesting that the endpoint 104 be added to its buddy list. The accessserver 102 determines that the endpoint 104 is offline in step 908 andtemporarily stores the request message in step 910. In step 912, theendpoint 106 notifies the access server 102 that it is going offline.

In steps 914 and 916, the endpoint 104 and access server 102 repeatsteps 902 and 904 as described for the endpoint 106. However, when theaccess server 102 sends the profile information and routing table to theendpoint 104, it also sends the request by the endpoint 106. Endpoint104 sends its response to the access server 102 in step 918 and alsoinstructs the access server to delete the temporarily stored request.After the endpoint 106's next authentication process, its profileinformation will include endpoint 104 as a buddy (assuming the endpoint104 granted permission).

Referring to FIG. 10, in one embodiment, a system 1000 includes astateless reflector 1002 and two endpoints 104 and 106, such as theendpoints 104 and 106 described with respect to the preceding figures.In the present example, each of the endpoints 104 and 106 are behind adevice 1004, 1006, respectively, that monitors and regulatescommunication with its respective endpoint. Each device 1004, 1006 inthe present example is a firewall having NAT technology. As describedpreviously, a NAT device may present an obstacle in establishing apeer-to-peer connection because it may not allow unsolicited messages(e.g., it may require a packet to be sent out through the NAT devicebefore allowing a packet in). For example, the NAT device 1006positioned between the endpoint 106 and network 108 may only let amessage in (towards the endpoint 106) if the endpoint 106 has sent amessage out. Unless the NAT device's status is shifted from notsoliciting messages from the endpoint 104 to soliciting messages fromthe endpoint 104, the endpoint 104 will be unable to connect to theendpoint 106. For example, the endpoint 104 will be unable to notify theendpoint 106 that it is now online.

As will be described below in greater detail, the stateless reflector1002 is configured to receive one or more packets from an endpoint andreflect the packet to another endpoint after modifying informationwithin the packet. This reflection process enables the endpoints 104 and106 to communicate regardless of the presence and type of the NATdevices 1004 and 1006. The stateless reflector 1002 is stateless becausestate information (e.g., information relating to how an endpoint is toconnect with other endpoints) is stored by the endpoints, as describedpreviously. Accordingly, the stateless reflector 1002 processes headerinformation contained within a packet without access to otherinformation about the network or endpoints, such as the database 206 ofFIG. 2 a. Although only one stateless reflector 1002 is illustrated inFIG. 10, it is understood that multiple stateless reflectors may beprovided, and that the endpoints 104 and 106 may each use a differentstateless reflector. For example, an endpoint may be configured to use aparticular stateless reflector or may select a stateless reflector basedon location, NAT type, etc.

Although each endpoint 104, 106 is shown with a separate NAT device1004, 1006, it is understood that multiple endpoints may be connected tothe network 108 via a single NAT device. For example, a LAN may accessthe network 108 via a single NAT device, and all communications betweenthe endpoints connected to the LAN and the network 108 must pass throughthe NAT device. However, communications between the endpoints within theLAN itself may occur directly, as previously described, because theendpoints are not communicating through the NAT device. Furthermore, ifone of the endpoints 104 or 106 does not have a NAT device, thencommunications with that endpoint may occur directly as described aboveeven if the endpoints are not in the same network.

Each NAT device 1004 and 1006 includes an internal IP address (on theside coupled to the endpoint 104 for the NAT device 1004 and the sidecoupled to the endpoint 106 for the NAT device 1006) and an external IPaddress (on the side coupled to the network 108 for both NAT devices).Each connection is also associated with an internal port and an externalport. Therefore, each connection includes both internal IP address/portinformation and external IP address/port information.

Generally, a NAT device may be defined as full cone, restricted cone,port restricted cone, or symmetric. A full cone NAT is one where allrequests from the same internal IP address and port are mapped to thesame external IP address and port. Therefore, any external host can senda packet to the internal host by sending a packet to the mapped externaladdress.

A restricted cone NAT is one where all requests from the same internalIP address and port are mapped to the same external IP address and port.Unlike a full cone NAT, an external host can send a packet to theinternal host only if the internal host has previously sent a packet tothe external host's IP address.

A port restricted cone NAT is like a restricted cone NAT, but therestriction includes port numbers. More specifically, an external hostcan send a packet with source IP address X and source port P to theinternal host only if the internal host has previously sent a packet tothe external host at IP address X and port P.

A symmetric NAT is one where all requests from the same internal IPaddress and port to a specific destination IP address and port aremapped to the same external IP address and port. If the same host sendsa packet with the same source address and port, but to a differentdestination, a different mapping is used. Only the external host thatreceives a packet can send a UDP packet back to the internal host.

Referring to FIG. 11, a table 1100 illustrates one embodiment of acommunication structure that may be used to traverse one or both of theNAT devices 1004 and 1006 of FIG. 10. The table 1100 provides fivepossible types for the NAT devices 1004 and 1006: no NAT, full cone,restricted cone, port restricted cone, and symmetric. It is understoodthat “no NAT” may indicate that no device is there, that a device isthere but does not include NAT functionality, or that a device is thereand any NAT functionality within the device has been disabled. Either ofthe NAT devices 1004 and 1006 may be on the originating side of thecommunication or on the terminating side. For purposes of convenience,the endpoint 104 is the originating endpoint and the endpoint 106 is theterminating endpoint, and the NAT device 1004 is the originating NATdevice and the NAT device 1006 is the terminating NAT device. It isunderstood that the terms “endpoint” and “NAT device” may be usedinterchangeably in some situations. For example, sending a packet to theendpoint 106 generally involves sending a packet to the NAT device 1006,which then forwards the packet to the endpoint 106 after performing thenetwork address translation. However, the following discussion maysimply refer to sending a packet to the endpoint 106 and it will beunderstood that the packet must traverse the NAT device 1006.

As illustrated by the table 1100, there are twenty-five possiblepairings of NAT types and establishing communication between differentNAT types may require different steps. For purposes of convenience,these twenty-five pairings may be grouped based on the required steps.For example, if the originating NAT type is no NAT, full cone,restricted cone, or port restricted cone, then the originating NAT canestablish communication directly with a terminating NAT type of eitherno NAT or full cone.

If the originating NAT type is no NAT or full cone, then the originatingNAT can establish communications with a terminating NAT type of eitherrestricted cone or port restricted cone only after using the statelessreflector 1002 to reflect a packet. This process is described below withrespect to FIG. 12.

Referring to FIG. 12, the endpoint 104 wants to inform the endpoint 106,which is already logged on, that the endpoint 104 has logged on. The NATdevice 1004 is either a no NAT or a full cone type and the NAT device1006 is either a restricted cone or a port restricted cone type.Accordingly, the endpoint 104 wants to send a message to the endpoint106, but has not received a message from the endpoint 106 that wouldallow the endpoint 104 to traverse the NAT device 1006.

Although not shown in FIG. 12, prior to or during authentication, theendpoints 104 and 106 both sent a request to a STUN server (e.g., theSTUN server 214 of FIG. 2) (not shown in FIG. 10). The STUN serverdetermined an outbound IP address, an external port, and a type of NATfor the endpoints 104 and 106 (in this example, for the NAT devices 1004and 1006). The STUN server 214 then sent a STUN response back to theendpoints 104 and 106 with the collected information. The endpoints 104and 106 then sent an authentication request to an access server (e.g.,the access server 102 of FIG. 1) (not shown in FIG. 10). The requestcontains the information about endpoints 104 and 106 received from theSTUN server 214. The access server 102 responds to the requests bysending the relevant profile and routing table to the endpoints 104 and106. In addition, each NAT device 1004 and 1006 may have a pinhole tothe STUN server 214.

In the present example, the NAT device 1004 has an external address/portof 1.1.1.1:1111 and the NAT device 1006 has an external address/port of2.2.2.2:2222. The STUN server 214 has an address/port of 3.3.3.3:3333and the stateless reflector has an address/port of 4.4.4.4:4444. It isunderstood that the STUN server and/or stateless reflector 1002 may havemultiple addresses/ports.

Referring to FIG. 12 and with additional reference to FIG. 13, in step1202, the endpoint 104 sends a packet to the stateless reflector 1002.The packet contains header information identifying the source as theendpoint 104 (or rather, the external IP address of the NAT device 1004)and the destination as the stateless reflector 1002. The packet alsocontains custom or supplemental header information identifying thesource as the STUN server 214 and the destination as the endpoint 106.Accordingly, the IP/UDP header of the packet sent from the endpoint 104(via the NAT device 1004) identifies its source as 1.1.1.1:1111 and itsdestination as 4.4.4.4:4444.

In step 1204, the stateless reflector 1002 modifies the packet header byreplacing the IP/UDP header with the source and destination from thecustom header. In the present example, the stateless reflector 1002 willmodify the IP/UDP header to identify the packet's source as 3.3.3.3:3333and its destination as 2.2.2.2:2222. Identifying the packet's source asthe STUN server 214 enables the stateless reflector 1002 to send thepacket through the pinhole in the NAT device 1006 that was created whenthe endpoint 106 logged on. After modifying the header, the statelessreflector 1002 sends the packet to the endpoint 106 via the NAT device1006 in step 1206.

In step 1208, the endpoint 106 sends an acknowledgement (e.g., a 200 OK)directly to the endpoint 104. The address of the endpoint 104 iscontained within the payload of the packet. The endpoint 106 is able tosend the acknowledgement directly because the NAT device 1004 is eithera no NAT or a full cone type. Because the endpoint 106 has opened apinhole through the restricted or port restricted NAT device 1006 to theendpoint 104 by sending a message to the endpoint 104, the endpoint 104is now able to communicate directly with the endpoint 106, as indicatedby step 1210.

Referring again to table 1100 of FIG. 11, if the originating NAT type iseither a no NAT type or a full cone type, then the originating NAT canestablish communications with a terminating NAT type that is symmetriconly after using the stateless reflector 1002 to reflect a packet andthen performing a port capture. This process is described below withrespect to FIG. 14.

Referring to FIG. 14, steps 1402, 1404, 1406, and 1408 are similar tothe reflection process described with respect to FIG. 12, and will notbe described in detail in the present example. Because the terminatingNAT type is symmetric, the originating NAT needs the port of theterminating NAT in order to send packets through the NAT device 1006.Accordingly, in step 1410, the endpoint 104 will capture the externalport used by the NAT device 1006 to send the acknowledgement in step1408. This port, along with the address of the NAT device 1006, may thenbe used when communicating with the endpoint 106, as indicated by step1412.

Referring again to table 1100 of FIG. 11, if the originating NAT type iseither a restricted cone type or a port restricted cone type, then theoriginating NAT can establish communications with a terminating NAT typethat is either restricted or port restricted by using a fake packet andthen using the stateless reflector 1002 to reflect a packet. Thisprocess is described below with respect to FIG. 15.

Referring to FIG. 15, in step 1502, the endpoint 104 sends a fake packetto the endpoint 106. Because the originating NAT type is a restrictedcone type or a port restricted cone type, the fake packet opens apinhole to the terminating NAT that will allow a response from theterminating NAT to penetrate the originating NAT. After sending the fakepacket, the sequence 1500 proceeds with steps 1504, 1506, 1508, and1510, which are similar to the reflection process described with respectto FIG. 12, and will not be described in detail in the present example.The endpoints 104 and 106 may then communicate directly, as indicated bystep 1512.

Referring again to table 1100 of FIG. 11, if the originating NAT type isa symmetric type, then the originating NAT can establish communicationswith a terminating NAT type that is either no NAT or full cone after aport capture occurs. This process is described below with respect toFIG. 16.

Referring to FIG. 16, in step 1602, the endpoint 104 (symmetric NATtype) sends a message to the endpoint 106. In step 1604, the endpoint106 captures the external port used by the NAT device 1004 in sendingthe message. This port, along with the address of the NAT device 1004,may then be used when communicating with the endpoint 104 directly, asindicated by step 1606.

Referring again to table 1100 of FIG. 11, if the originating NAT type isa restricted cone type, then the originating NAT can establishcommunications with a terminating NAT type that is symmetric by using afake packet, reflecting a packet using the stateless reflector 1002, andthen performing a port capture. This process is described below withrespect to FIG. 17.

Referring to FIG. 17, in step 1702, the endpoint 104 sends a fake packetto the endpoint 106. Because the originating NAT type is a restrictedcone type, the fake packet opens a pinhole to the terminating NAT thatwill allow a response from the terminating NAT to penetrate theoriginating NAT. After sending the fake packet, the sequence 1700proceeds with steps 1704, 1706, 1708, and 1710, which are similar to thereflection process described with respect to FIG. 12, and will not bedescribed in detail in the present example. In step 1712, the endpoint104 captures the external port used by the NAT device 1006 in sendingthe acknowledgement in step 1710. This port, along with the address ofthe NAT device 1006, may then be used when communicating with theendpoint 106 directly, as indicated by step 1714.

Referring again to table 1100 of FIG. 11, if the originating NAT type isa symmetric type, then the originating NAT can establish communicationswith a terminating NAT type that is a restricted cone type by using areflect, a fake packet, and a port capture. This process is describedbelow with respect to FIG. 18.

Referring to FIG. 18, steps 1802, 1804, and 1806 are similar to thereflection process described with respect to FIG. 12, and will not bedescribed in detail in the present example. In step 1808, in response tothe reflected message from the endpoint 104, the endpoint 106 sends afake packet to the endpoint 104. Because the terminating NAT type is arestricted cone type, the fake packet opens a pinhole to the endpoint104 to allow messages from the endpoint 104 to traverse the NAT device1006. Accordingly, in step 1810, the endpoint 104 can send the nextmessage directly to the endpoint 106 through the pinhole. In step 1812,the endpoint 106 captures the external port used by the NAT device 1004to send the message in step 1810. This port, along with the address ofthe NAT device 1004, may then be used by the endpoint 106 whencommunicating directly with the endpoint 104, as indicated by step 1814.

Referring again to table 1100 of FIG. 11, if the originating NAT type isa symmetric type and the terminating NAT type is a port restricted cone,or if the originating NAT type is a port restricted cone and theterminating NAT type is symmetric, then all signaling between the twoNAT devices is relayed via the stateless reflector 1002, while media istransferred via peer-to-peer, as described previously. If both theoriginating and terminating NAT types are symmetric, then all signalingand media are relayed via the stateless reflector 1002.

Accordingly, the peer-to-peer communications described herein may beachieved regardless of the NAT type that may be used by an endpoint. Thestateless reflector 1002 need not know the information for each client,but instead reflects various packets based on information containedwithin the packet that is to be reflected. Both the custom header andpayload may be encrypted for security purposes. However, the statelessreflector 1002 may only be able to decrypt the custom header and thepayload itself may only be decrypted by the terminating endpoint. Thisenables the stateless reflector 1002 to perform the reflectionfunctionality while maintaining the security of the payload itself. Asdescribed above, not all processes for traversing a NAT device may usethe stateless reflector 1002.

Referring to FIGS. 19A and 19B, in another embodiment, a peer-to-peerenvironment 1900 includes the two endpoints 104 and 106, the two NATdevices 1004 and 1006, and the stateless reflector 1002 of FIG. 10, andanother endpoint 1901. Also illustrated are three possible routesbetween endpoints: a private (pr) route 1902, a public (pu) route 1904,and a reflected (rl) route 1906. FIG. 19A illustrates the routes 1902,1904, and 1906 between the endpoint 104 and the endpoint 1901, and FIG.19B illustrates the routes between the endpoint 104 and the endpoint106. As will be discussed below in detail, the endpoints 104, 106, and1901 may contain logic that allows one of the three routes 1902, 1904,and 1906 to be selected in a dynamic and flexible manner rather thanrelying on the rule-based system described above.

A rule-based system may be fairly inflexible, as such a system generallyhas a clear set of rules that are defined for various NAT situations andthe current relationship between the two endpoints is handled accordingto those rules. Network configuration changes and other modificationsmay require revisions to the rules, which is not convenient and mayprevent the endpoints from communicating until the rules are revised.Accordingly, in some embodiments, the flexibility described below mayenable the endpoints 104, 106, and 1901 to adapt to new networkconfigurations without requiring updated rules as would be required in astrictly rule-based system. In still other embodiments, the logic withinthe endpoints 104, 106, and 1901 may be updated to handle new networkconfigurations, which also provides flexibility not found in strictlyrule-based systems.

Each endpoint 104, 106, and 1901 may include one or more virtualinterfaces for communication with other endpoints. In the presentexample, there are three virtual interfaces including a private virtualinterface corresponding to the private route 1902, a public virtualinterface corresponding to the public route 1904, and a relay virtualinterface corresponding to the relay route 1906. It is understood thatthe term “virtual interface” is used only for purposes of description toclarify that there are multiple possible routes. Accordingly, the term“virtual interface” need not denote separate physical network interfaceson an endpoint, but may use a single physical network interface.

As described above, each endpoint 104, 106, and 1901 is generallyassociated with two IP address/port pairs. The first IP address/portpair may be the local (i.e., private) IP address/port information thatrepresents each of the endpoints 104, 106, and 1901 in the network thatis “inside” the corresponding NAT device 1004 or 1006. For example, thefirst IP address/port pair for the endpoint 104 may be the physicaladdress assigned to the endpoint 104 by the corresponding NAT device1004. This first IP address/port pair corresponds to the private virtualinterface and may provide access via the private route to the endpoint104 by endpoints in the same local network (e.g., the endpoint 1901).The second IP address/port pair may be the public IP address/portinformation that represents each of the endpoints 104, 106, and 1901 inthe network that is “outside” the corresponding NAT device 1004 or 1006.For example, the second IP address/port pair for the endpoint 104 may bethe address that is returned to the endpoint 104 by the STUN server aspreviously described (e.g., the NAT's external IP address/port pairassigned to the endpoint 104). This second IP address/port pair for theendpoint 104 corresponds to the public virtual interface and may provideaccess via the public route to the endpoint 104 by endpoints both insideand outside the endpoint 104's local network. Each endpoint 104, 106,and 1901 is also aware of the address information of the reflector 1002as described in previous embodiments, which corresponds to the relayvirtual interface of the endpoints. The relay route may be used in(5,4), (4,5), and/or (5,5) conditions according to the table of FIG. 11,where one endpoint must send a packet first, but is unable to do sobecause the other endpoint must send a packet first.

Referring to FIG. 20, a sequence diagram illustrates one embodiment of amessage sequence 2000 that may occur between the endpoints 104 and 1901of FIG. 19A when identifying which of the routes (i.e., the privateroute 1902, the public route 1904, and the relay route 1906) will beused for communications. In the present example, the endpoints 104 and1901 are in a local (i.e., private) network such as an Enterprisenetwork, a local area network (LAN), a virtual LAN (VLAN), or a homenetwork. This local network is isolated from the public network by theNAT device 1004 or a similar network component. Although shown as asingle NAT device, it is understood that the NAT device 1004 may be aseparate NAT device for each of the endpoints 104 and 1901. In contrast,the endpoint 106 is in a separate network that is only accessible by theendpoints 104 and 1901 via a public network that forms all or part ofthe packet network 108.

The present example uses a SIP messaging model over UDP, and soaccommodates the transaction-based SIP model within connection-less UDPmessaging. Because UDP is not transaction based, certain messagehandling processes may be used to conform to SIP standards, such asdiscarding multiple messages when the SIP model expects a messagebelonging to a specific transaction. However, it is understood that thesequence 2000 may be implemented using many different messaging models.In the present example, neither endpoint is online at the beginning ofthe sequence and the endpoints 104 and 1901 are “buddies.” As describedabove, buddies are endpoints that have both previously agreed tocommunicate with one another.

In steps 2002 and 2006, the endpoints 104 and 1901, respectively, sendSTUN requests to obtain their corresponding public IP address/port pairs(NATIP, NATPort). In the present example, the reflector 1002 is servingas a STUN server, but it is understood that the STUN server may beseparate from the reflector. The reflector 1002 responds to the STUNrequests with the public IP address and port information for each of theendpoints 104 and 1901 in steps 2004 and 2008, respectively.

As the two endpoints 104 and 1901 are not logged in when the presentexample begins, they must both authenticate with the access server 102.In step 2010, the endpoint 104 sends an authentication request to theaccess server 102 with its private and public IP address/port pairs. Instep 2012, the access server 102 responds to the authentication requestand, as described previously, returns information that includes theprivate and public IP addresses of any buddy endpoints that arecurrently logged in. However, as the endpoint 1901 has not yet loggedin, the information received by the endpoint 104 from the access server102 will not include any address information for the endpoint 1901.

In step 2014, the endpoint 1901 sends an authentication request to theaccess server 102 with its private and public IP address/port pairs. Instep 2016, the access server 102 responds to the authentication requestand, as described previously, returns information that includes theprivate and public IP addresses of any buddy endpoints that arecurrently logged in. As the endpoint 104 is currently logged in, theinformation received by the endpoint 1901 from the access server 102will include the private and public address information for the endpoint104. Although not shown, the endpoint 1901 may then send a message tothe endpoint 104 informing the endpoint 104 that the endpoint 1901 iscurrently online. This message may contain the private and publicaddress information of the endpoint 1901. The message may be sent viathe three different routes as described below with respect to latermessaging, or may be sent via one or more selected routes. For example,the message may only be relayed (i.e., sent via the relay route) due tothe high chance of success of that route.

At this point, the endpoint 104 wants to establish a communicationsession with the endpoint 1901, but does not know which of the threeroutes (i.e., pr, pu, and rl) should be used. In the previouslydescribed rule-based system, the endpoint 1901 would publish its NATinformation, which enables the endpoint 104 to determine how toestablish a connection. However, in the present example, suchinformation is not published and the endpoint 104 does not know whetherthe endpoint 1901 is in the same private network as the endpoint 104,whether the endpoint 1901 is only accessible via a public network,whether the endpoint 1901 is behind a NAT device, or, if the endpoint1901 is behind a NAT device, the settings of the NAT device (full cone,port restricted, etc.). Accordingly, the endpoint 104 needs todynamically determine which of the three routes to use with the endpoint1901.

Accordingly, in step 2018, the endpoint 104 interacts with the endpoint1901 to determine which of the three routes should be used to sendmessages to the endpoint 1901. Similarly, in step 2020, the endpoint1901 interacts with the endpoint 104 to determine which of the threeroutes should be used to send messages to the endpoint 104, which maynot be the same route as that used by the endpoint 104 to send messagesto the endpoint 1901. Steps 2018 and 2020 are illustrated in greaterdetail below with respect to FIG. 21. In step 2022, the two endpointscommunicate via the determined route(s).

Referring to FIG. 21, a sequence diagram illustrates one embodiment of amessage sequence 2100 that may occur during steps 2018 and 2020 of FIG.20 in order to determine which of the routes are to be used. Theendpoint 104 may keep a table containing each buddy that is online andthe route to be used for that buddy. For example, when the route isunknown, the table may have the information shown in Table 1 below:

TABLE 1 Buddy Endpoint Route (send-receive) 1901 unk-unk X X X X

The endpoint 104 (which is the originating endpoint in the presentexample) sends out three presence messages in steps 2102, 2104, and2106. As the current example uses SIP messaging transported via UDP, themessage is a SIP INFO message. More specifically, in step 2102, theendpoint 104 sends a SIP INFO message to the private IP address/portpair of the endpoint 1901 (i.e., via the private route) with anidentifier such as a ‘pr’ tag to indicate the route. In step 2104, theendpoint 104 sends a SIP INFO message to the public (NAT) IPaddress/port pair of the endpoint 1901 (i.e., via the public route) withan identifier such as a ‘pu’ tag to indicate the route. In step 2106,the endpoint 104 sends a SIP INFO message to the endpoint 1901 via thereflector 1002 (i.e., via the relay route) with an identifier such as an‘rl’ tag to indicate the route, which is reflected to the endpoint 1901in step 2108.

The order in which the messages are sent may vary, but the order followsa hierarchy of desired routes in the present embodiment that places theprivate route first (i.e., most desirable), the public route next, andthe relay route last (i.e., least desirable). However, it is understoodthat the order in which the messages are sent may vary or, if theendpoint 104 is capable of sending multiple messages simultaneously, themessages may be sent at the same time.

The present example assumes that the endpoint 1901 receives one or moreof the messages sent in steps 2102, 2104, and 2106. If more than onemessage is received, the endpoint 1901 may respond only to the first onereceived. So, for example, if the message sent via the private route isreceived before the messages sent via the public and relay routes, theendpoint 1901 will respond only to the private route message and thelater messages will be ignored. This reduces network traffic andprovides for SIP compliance as the endpoint 104 (from a SIP perspective)expects to receive a single 200 OK message in response to its SIP INFOmessage. Furthermore, the response message may be sent back along thesame route as the presence message to which the response is directed. Soa response to the private route message will be sent back along theprivate route. Accordingly, only one of steps 2110A, 2110B, and 2110C-1may occur in the present example. Step 2110C-2 is dependent on theoccurrence of step 2110C-1 because the response message will not bereflected unless the relay route is used.

The response message returned by the endpoint 1901 is a SIP 200 OKmessage that may include the tag extracted from the received INFOmessage to identify which of the routes was successful (e.g., whichroute carried the message that was received first). For purposes ofexample, the private route was successful and the table may then beupdated as shown in Table 2 below:

TABLE 2 Buddy Endpoint Route (send-receive) 1901 pr-unk X X X X

It is noted that since the private route is successful, the twoendpoints 104 and 1901 are in the same private network.

It is understood that the response message (e.g., the SIP 200 OK) maynever be received by the endpoint 104. For example, the private routemay not be available from the endpoint 1901 to the endpoint 104 due tonetwork configuration settings. Accordingly, if the SIP 200 OK is notreceived by the endpoint 104, the endpoint 104 may execute aretransmission process that resends the presence messages along thethree routes. The resending may occur a set number of times, for a setperiod of time, or until some other limit is reached. For example, thefirst set of presence messages may be sent 0.5 seconds after the initialmessages are sent, the second set of messages may be sent one secondafter that, and each additional set of messages may be sent at timeperiods that are double the previous delay until a total of seven setsof messages are sent. At this time, the endpoint 104 may stop sendingmessages. If a response is received during the retransmission process,the endpoint 104 will stop retransmitting. However, the response messagewill generally be received by the endpoint 104.

The outbound SIP INFO messages and the received SIP 200 OK messageinform the endpoint 104 of which route to use when sendingcommunications to the endpoint 1901. However, this route may not work inreverse. In other words, just because the endpoint 104 can reach theendpoint 1901 via the private route (to continue the example), it doesnot necessarily follow that the endpoint 1901 can reach the endpoint 104using the same route. For example, differences in the configurations ofNAT devices or other network differences may mean one endpoint can bereached via a particular route even if the reverse route is notavailable.

Accordingly, the endpoint 1901 sends out three presence messages insteps 2112, 2114, and 2116. As the current example uses SIP messagingtransported via UDP, the message is a SIP INFO message. Morespecifically, in step 2112, the endpoint 1901 sends a SIP INFO messageto the private IP address/port pair of the endpoint 104 (i.e., via theprivate route). In step 2114, the endpoint 1901 sends a SIP INFO messageto the public (NAT) IP address/port pair of the endpoint 104 (i.e., viathe public route). In step 2116, the endpoint 1901 sends a SIP INFOmessage to the endpoint 104 via the reflector 1002 (i.e., via the relayroute), which is reflected to the endpoint 104 in step 2118.

The present example assumes that the endpoint 104 receives one or moreof the messages sent in steps 2112, 2114, and 2116. If more than onemessage is received, the endpoint 104 may respond only to the first onereceived. Accordingly, only one of steps 2120A, 2120B, and 2120C-1 mayoccur in the present example. Step 2120C-2 is dependent on theoccurrence of step 2120C-1 because the response message will not bereflected unless the relay route is used. The response message returnedby the endpoint 104 is a SIP 200 OK message that identifies which of theroutes was successful (e.g., was received first).

If the first (or only) SIP INFO message received by the endpoint 104from the endpoint 1901 is received via the same route as that used bythe endpoint 104 to send messages to the endpoint 1901 (e.g., theprivate route), then the communication session is established withmessages going both ways on that route. At this point, the table maythen be updated as shown in Table 3 below:

TABLE 3 Buddy Endpoint Route (send-receive) 1901 pr-pr X X X X

However, the first (or only) SIP INFO message received by the endpoint104 from the endpoint 1901 may be received on a different route thanthat used by the endpoint 104 to send messages to the endpoint 1901.When this occurs, the endpoint 104 flags this as the endpoint 1901responded to the INFO message via one route but is now communicating viaanother route. For example, the endpoint 1901 responded on the privateroute, but is now using the public route. One possibility for thisdiscrepancy is that there is a router or other network deviceinterfering with the return path (i.e., the path used by the endpoint1901 to send messages to the endpoint 104). Another possibility is thata message went faster one way than another way. For example, while theendpoint 1901 may have received the private message from the endpoint104 (i.e., the message of step 2102 of FIG. 21) before the othermessages, the endpoint 104 may have received the public message from theendpoint 1901 (i.e., the message of step 2114 of FIG. 21) before thepublic and relay messages.

When this occurs, the endpoint 104 may transition from the private routeto the public route. This results in sending and receiving routes ofpu-pu as illustrated by Table 4 below:

TABLE 4 Buddy Endpoint Route (send-receive) 1901 pu-pu X X X X

The endpoint 104 may also be configured to confirm that this transitionis correct. To confirm the transition, the endpoint 104 executes aconfirmation process and sends a confirmation message to the endpoint1901 on the private route (i.e., the route that the endpoint 104 thinksit should be using to send messages to the endpoint 1901). In thepresent example, the confirmation message may include a SIP field namedMAX_FORWARDS that defines a maximum number of hops that a packet cantake before being dropped. The MAX_FORWARDS field has a standard defaultvalue of seventy, but the endpoint 104 may set the value to one (i.e.,MAX_FORWARDS=1). If the response message from the endpoint 1901 isreceived by the endpoint 104 and has set the MAX_FORWARDS field to 0,then the endpoint 104 transitions back to the private route and usesthat route for sending future messages. This results in differentsending and receiving routes as illustrated by Table 5 below:

TABLE 5 Buddy Endpoint Route (send-receive) 1901 pr-pu X X X X

However, if the endpoint 104 does not receive a response message to itsconfirmation message, it continues using the public route. This resultsin sending and receiving routes of pu-pu as illustrated by Table 4above.

Communications between the endpoints 104 and 106 as illustrated in FIG.19B may follow the same sequence of presence messages and responses asthat described above with respect to FIGS. 20 and 21. However, since theendpoints 104 and 106 are in separate networks (i.e., not the same localnetwork), the private route 1902 is not available and the privatepresence messages will fail to reach their destination. The presencemessages may still be sent each way on the private route as theendpoints 104 and 106 do not know the location of the other endpoint,but the messages will be dropped. For example, the NAT devices 1004 and1006 may both be routers that have an address of 192.168.1.1 in theirrespective home networks. The NAT device 1004 may assign a privateaddress of 192.168.1.10 to the endpoint 104 and the NAT device 1006 mayassign a private address of 192.168.1.15 to the endpoint 106. Althoughthese addresses appear to be in the same local network, they are not.However, as the endpoints 104 and 106 have no way of knowing whether theprivate addresses are in the same local network until they perform theirstrategic routing sequences, they may both send their private presencemessages along the private route, even though the messages will bothfail. Accordingly, the endpoints 104 and 106 will use the public route1904 and/or the relay route 1906 when communicating.

Referring to FIG. 22, a flowchart illustrates one embodiment of a method2200 that may represent a process by which an endpoint such as theendpoint 104 of FIGS. 19A and 19B establishes a connection with anotherendpoint as described with respect to FIGS. 20 and 21 above.

In step 2202, the endpoint 104 sends outbound presence messages on theprivate, public, and relay routes. The presence messages may containidentifiers such as tags or other route indicators, or the receivingendpoint may simply note which virtual interface (i.e., pr, pu, or rl)received a particular presence message and correlate the message withthe route upon receipt. In step 2204, the endpoint 104 receives aresponse message that indicates which of the presence messages wasreceived first. For example, the response message may include the tagfrom the presence message to identify the route corresponding to thereceived presence message. In step 2206, the endpoint 104 selects theidentified route as the initial outbound route for messages being sentto the other endpoint.

In step 2208, the endpoint receives one or more inbound presencemessages from the other endpoint. In step 2210, the endpoint 104 sends aresponse to the first received inbound presence message.

In step 2212, the endpoint 104 determines whether the inbound route ofthe message received in step 2210 is the same route as the initialoutbound route selected in step 2206. If the routes are the same, themethod 2200 continues to step 2220 and uses the initial outbound routeto send messages to the other endpoint. If the routes are not the same,the method 2200 moves to step 2214 and sends a confirmation message tothe other endpoint using only the initial outbound route. In step 2216,the endpoint 104 determines whether a response to the confirmationmessage has been received. If no response to the confirmation messagehas been received, the method 2200 moves to step 2218 and transitions tothe inbound route as the new outbound route for messages being sent tothe other endpoint. If a response to the confirmation message has beenreceived, the method 2200 continues to step 2220 and uses the initialoutbound route to send messages to the other endpoint.

In step 2222, the endpoint 104 may begin sending keep-alive messages tothe other endpoint to ensure that the outbound route remains open. Forexample, one of the networks or NAT devices involved in the establishedsession may undergo a configuration change or a failure while the twoendpoints are online, and so an existing route may become unusable. Insuch a case, the endpoint may detect that the keep-alive messages arefailing and so may return to step 2202 to re-establish a valid route. Itis noted that the other endpoint may not need to re-establish itsoutbound route. For example, if the inbound and outbound routes for theendpoint 104 are different, the inbound route may remain valid eventhough the outbound route is invalid. Accordingly, some steps of themethod 2200 may be skipped in some scenarios.

It is noted that many different variations of the method 2200 may exist.For example, the endpoint 104 may transition to the inbound route as thenew outbound route if it is determined in step 2212 that the routes arenot the same, rather than remaining on the initial outbound route. Then,if a response is received to the confirmation message, the endpoint 104may transition back to the initial outbound virtual interface.Furthermore, as stated previously, the response message may never bereceived by the endpoint 104 and so some steps of the method 2200 maynot occur or may occur in a different order as there may be no responsemessage available to determine the initial outbound route. It is alsonoted that some steps of the method 2200 may be performed in a differentorder than shown. For example, step 2208 may occur before step 2204depending on network latency and other factors.

Referring to FIGS. 23A and 23B, in another embodiment, the endpoints 104and 106, the two NAT devices 1004 and 1006, and the stateless reflector1002 of FIGS. 19A and 19B are illustrated with a tunneling server orother access device 2302 and another endpoint 2304. The tunneling server2402 may provide access to other endpoints for an endpoint that does nothave UDP access or access to another expected protocol. For example, ifthe endpoint 104 performs a STUN request and the request fails, thenetwork within which the endpoint 104 is positioned may not support UDP(e.g., the network may be an Enterprise network that has disabled UDP).For purposes of illustration, the endpoints 104 and 2304 are in aprivate network and not separated by the NAT device 1004, and theendpoint 106 is separated from the endpoint 104 by the NAT devices 1004and 1006.

Referring to FIG. 24, a sequence diagram illustrates one embodiment of amessage sequence 2400 that may occur in the environment of FIGS. 23A and23B to establish a connection between the endpoints 104 and 106. As withthe previous discussion of FIG. 20, the endpoints 104 and 106 may eachmaintain a table, although this is not shown in the present example.

In step 2402, the endpoint 104 sends a STUN request that fails. Based onthe failure of the STUN request, the endpoint 104 determines that thenetwork (e.g., the NAT device 1004) has disabled UDP. It is understoodthat other indicators may be used to determine that UDP is notavailable. In step 2404, based on the unavailability of UDP, theendpoint 104 opens a TCP/IP connection (i.e., a tunnel) with thetunneling server 2302. This connection may use a port such as port 443of the NAT device 1004, which is the default TCP port for HTTP Secure(HTTPS) connections using the Transport Layer Security (TLS) or SecureSocket Layer (SSL) protocols. However, it is understood that port 443 isonly an example and that other available ports may be used. In step2406, the endpoint 104 requests a shadow IP address and shadow port onthe tunneling server 2302. In step 2408, the tunneling server 2302creates the shadow IP address and port and returns this information tothe endpoint 104 in step 2410.

The shadow IP address and shadow port serve as the public address andport of the endpoint 104 for other endpoints. In other words, the shadowIP address/port replace the NAT IP address/port that would serve as thepublic contact information for the endpoint 104 in an environment inwhich UDP is available to the endpoint 104 (e.g., as in FIGS. 19A and19B). In some embodiments, the shadow IP address/port pairs may beplaced on a shadow list as they are provisioned and the shadow list maybe available to the access server 102 and/or endpoints. In otherembodiments, the access server 102 and/or endpoints may have a list orrange of IP addresses/ports that are known to be shadows. In still otherembodiments, the knowledge of whether an IP address/port is a shadow isnot available to the access server 102 and/or endpoints.

In step 2412, the endpoint 104 authenticates with the access server 102via the tunnel using its local IP address/port and shadow address/portinformation. In step 2414, the access server 102 authenticates theendpoint 104 and sends the endpoint 104 the contact information ofonline buddies, including corresponding private, public, and shadow IPaddress/port information.

Although not shown in FIG. 24, the endpoint 106 sends a request to aSTUN server and receives its public IP address/port information asdescribed with respect to the endpoints 104 and 1901 in FIG. 20. Sincethe endpoint 106 is successful with its STUN request, it does not needto use the tunneling server 2302. In steps 2416 and 2418, the endpoint106 authenticates with the access server and receives the private IPaddress/port and shadow IP address/port of the endpoint 104. Asdiscussed above, the endpoint 106 may or may not know that the endpoint104 is using a shadow, depending on the particular implementation of theshadow list.

In steps 2420 and 2422, the endpoints 104 and 106 may establish acommunication session as described previously with respect to FIGS. 20and 21. However, the communications between the two endpoints 104 and106 will use the tunnel between the endpoint 104 and the tunnelingserver 2302 and the corresponding shadow IP address and port for theendpoint 104.

In embodiments where the endpoint 106 knows that the endpoint 104 isusing a shadow, the endpoint 106 may not send a presence message via theprivate route as the endpoint 106 knows that the private route is notavailable. In other embodiments, the endpoint 106 may send a presencemessage via the private route even though the route is not available.

Communications between the endpoints 104 and 2304 as illustrated in FIG.23B may follow a similar sequence of presence messages and responses asthat described above with respect to FIG. 24. However, since theendpoints 104 and 2304 are in the same local network, the private route1902 is available and the private presence messages may reach theirdestinations. The endpoint 2304 may not use a relay message to try toreach the endpoint 104, since its failed STUN request will inform theendpoint 2304 that UDP is not available. In order to use the public andrelay routes, the endpoint 2304 will create a tunnel with the tunnelingserver 2303 as described above with respect to the endpoint 104. Thepublic and relay messages may still work via the respective tunnels ofthe endpoints 104 and 2304.

Referring to FIG. 25, in another embodiment, an environment 2500 isillustrated in which the endpoint 104 (FIG. 1) and the endpoint 106(FIG. 1) may communicate via a third party instant messaging (IM) system2502. As will be described below, at least the initial signaling betweenthe endpoints 104 and 106 may use the third party IM system 2502 as asignaling path, while media transfers between the endpoint 104 and 106may occur outside of the third party IM system 2502 using other routes(e.g., the private route 1902, the public route 1904, and/or thereflected route 1906 of FIGS. 19A and 19B). Later signaling may use thethird party IM system 2502 and/or the other route(s) as will bedescribed below. In the present embodiment, one or both of the endpoints104 and 106 are mobile devices, although it is understood that they maybe any other type of endpoint as described above. Furthermore, theendpoints 104 and 106 have IM functionality, audio/video functionality,and/or any other functionality that may be provided by an endpoint.

As is known, IM systems such as the third party IM system 2502 allow auser to send and receive instant messages (i.e., text messages) using anIM client provided by the particular third party IM system 2502. In someIM systems, the instant messages may include text formatting options(e.g., allowing bold or italicized text) and may also allow otherinformation, such as HyperText Transfer Protocol (HTTP) links, to besent and recognized by the IM client. However, such instant messages maybe limited to text and may provide limited or no media options. In caseswhere media options are provided within the third party IM system 2502,the media options may be separate from the instant messages and may beproprietary to the third party IM system 2502. This means that the mediaoptions may not be accessible to outside service providers, while theinstant message interfaces may be documented for use by outside serviceproviders.

Signaling communications between the endpoints 104 and 106 using theinstant message capabilities provided by the third party IM system 2502may be routed through the third party IM system 2502 (e.g., through aserver of the third party system 2502) as illustrated by path 2504, maybe routed between the endpoints 104 and 106 as illustrated by path 2506,or may be routed through some combination of the paths 2504 and 2506.Media communications (and some signaling communications in someembodiments) are routed through one or more routes that are supported bya peer-to-peer hybrid network and are outside of the third party IMsystem 2502. For example, the media routes may include one or more ofthe private route 1902, the public route 1904, and/or the relay route1906. Although not shown as an available route in FIG. 25, it isunderstood that the private route 1902 may be available if the endpoint106 is in the same network as the endpoint 104 as described with respectto FIG. 19A.

In FIG. 25, the bearer type for a signaling message (i.e., whether thebearer is an IM or a media message such as an RTP message) depends onthe channel used to carry the signaling message. For example, if thepublic route 1904 is used for signaling, the signaling messages will becarried by media packets (e.g., RTP packets). This is referred to as“Signaling (media channel)” in FIG. 25. If the third party IM system isused for signaling, the signaling messages will be carried by IM. Thisis referred to as “Signaling (IM channel)” in FIG. 25. Accordingly, thepublic route 1904 is a media route from the perspective of bearer type,but may be both a media route and a signaling route from the perspectiveof message type. In other words, the public route 1904 may carry bothmedia and signaling, but it carries both as a media bearer channel.

In the present example, the endpoints 104 and 106 each include endpointfunctionality for direct communications via the peer-to-peer hybridnetwork as described previously. The endpoints 104 and 106 also includeIM clients 2508 and 2510, respectively, that are compatible with thethird party IM system 2502. For example, each endpoint 104 and 106includes the softswitch 258 that has an IM control module as illustratedin FIG. 2 b and this IM control module may include, form, and/or controlthe IM clients 2508 and 2510. The IM control module may be configured toprovide access to the third party IM system 2502 for users of theendpoints 104 and 106. In some embodiments, the IM control module mayprovide access to multiple third party IM systems. To use the thirdparty IM system 2502, the endpoints 104 and 106 would each select thethird party IM system 2502 (if multiple third party IM systems areavailable for use) and login to the third party IM system 2502. The IMcontrol module would manage the IM session, enabling the endpoints 104and 106 to use the third party IM system 2502 without actually needingthe separate IM client provided by the third party IM system 2502. Inother embodiments, the IM control module may control a separate clientprovided by the third party IM system 2502.

An outside service provider, such as a provider controlling the accessserver 102 and the client software providing endpoint functionality tothe endpoints 104 and 106, may want to provide services to the endpoints104 and 106 within the third party IM system 2502. However, the servicesmay not be supported by the third party IM system 2502 or use of theservices to the outside service provider may be blocked by the thirdparty IM system 2502. Accordingly, the outside service provider may usethe available communication channel provided by the instant messaging ofthe third party IM system 2502 to provide additional services outside ofthe third party IM system 2502.

Referring to FIG. 26A, a sequence diagram illustrates one embodiment ofa message sequence 2600 that may occur in the environment 2500 of FIG.25. In the present example, the endpoints 104 and 106 are friends withinthe third party IM system 2502. The endpoint 104 wants to establish acall with the endpoint 106 using services that are not provided and/orare blocked by the third party IM system 2502. The term “call” as usedin the following disclosure may include the transmission and receptionof audio, video, and/or data. For example, a call may include one-way ortwo-way audio or audio/video information that may be streamed ornon-streamed, as well as data of various types (e.g., text and/orfiles). The term “call” may also include multi-party calls, such asconference calls.

In step 2602, the endpoint 104 may contact the access server 102(FIG. 1) to obtain the address information of a reflector (e.g., thereflector 1002 of FIG. 10). In other embodiments, the endpoint 104 mayobtain the address of the reflector 1002 in other ways. Furthermore, theendpoint 104 may be logged into the access server 102 in someembodiments, while it may not be logged into the access server 102 inother embodiments. For example, the access server 102 may be configuredto respond to a request for the address information of the reflector1002 without requiring authentication by the requestor, or the accessserver 102 may be configured to require authentication prior toresponding to the request. Authentication may require that the requestorlog into the access server 102 or may simply require that the requestorprovide credentials without the need to log in. Similarly, in step 2604,the endpoint 106 may contact the access server 102 to obtain the addressinformation of the reflector 1002.

In step 2606, the endpoint 104 logs into the third party IM system 2502.This may involve sending whatever authentication credentials arerequired from the endpoint 104 to the third party IM system 2502, suchas a user name and a password. The third party IM system 2502 mayrespond with such information as a friend list that shows the status ofvarious friends of the endpoint 104 within the third party IM system2502. Similarly, in step 2608, the endpoint 106 logs into the thirdparty IM system 2502 and the third party IM system 2502 may respond withsuch information as a friend list that shows the status of variousfriends of the endpoint 106 within the third party IM system 2502. Inthe present example, the endpoints 104 and 106 are friends within thethird party IM system 2502, although they may not be friends if theparticular third party IM system 2502 does not require or supportfriends. It is understood that the login process of steps 2606 and 2608may vary depending on the particular third party IM system, and that theendpoints 104 and 106 include the functionality needed to login andcommunicate via the third party IM system 2502.

The third party IM system 2502 views the endpoints 104 and 106 asclients of the third party IM system 2502 and not as peer-to-peer hybridendpoints as described in the present disclosure. For example, the thirdparty IM system 2502 may not be aware of the endpoints' peer-to-peerhybrid network functionality and instead may be aware only that theendpoints 104 and 106 can communicate with the third party IM system2502 in the manner required by the third party IM system 2502 and thatthe endpoints 104 and 106 present proper authentication credentials.Accordingly, the third party IM system 2502 views the login process ofsteps 2606 and 2608 as a normal process that is performed by clients ofthe third party IM system 2502.

In step 2610, the endpoint 104 sends a call request to the endpoint 106using an instant message sent through the third party IM system 2502. Inthe present example, the call request is for a streaming audio/videoconnection with the endpoint 106. The call request may includeinformation needed for the endpoint 106 to communicate with the endpoint104 outside of the third party IM system 2502. Although not shown, theendpoint 104 may have previously performed a STUN request and obtainedthe public IP address and port information corresponding to the endpoint104 as previously described. Accordingly, the call request may includethe address information of the endpoint 104, such as the public andprivate (NAT) IP address and port information of the endpoint 104. Thecall request may also include call parameters such as the type of mediafor the call (e.g., audio, audio/video, and/or data), codec type,available bandwidth, and other information. It is understood that, ifthe initial call request message does not include the addressinformation needed to communicate with the endpoint 104 outside of thethird party IM system 2502, then a later message may be sent with suchinformation as this information is needed for the call to continue.

In the present example, the request message is encrypted using a publickey/private key system or another encryption system prior to being sent,although encryption may not be used in some embodiments. Morespecifically, an instant message compatible with the third party IMsystem 2502 may contain required information that is required by thethird party IM system 2502 and optional information that represents thetext or other data supplied by a user of the third party IM system 2502.For example, the required information may be header information thatidentifies the sender and destination clients within the third party IMsystem 2502, while the optional information may be plain text that is tobe transported by the instant message. Some or all of the optionalinformation may be encrypted by the endpoint 104. In the presentexample, the optional information would include the address informationof the endpoint 104 and the parameters. The parameters and/or theaddress information may be encrypted prior to sending the instantmessage. It is understood that the endpoint 104 may encrypt only thoseinstant messages that are associated with a call and that normal instantmessages handled by the endpoint 104 may not be encrypted.

If the endpoint 106 is not an endpoint but is instead a normal client ofthe third party IM system 2502, the client may display the requestmessage to a user of the client as a meaningless text message. In suchcases, there may be no response to the endpoint 104. Accordingly, thecall request from the endpoint 104 may time out after the expiration ofa predefined amount of time (e.g., thirty seconds) and end the attemptto set up a call. The endpoint 104 may display a message that theendpoint 106 is unavailable or otherwise notify the user of the endpoint104 that the endpoint 106 is not responding.

In step 2612, the endpoint 104 traps the received instant message. Morespecifically, the IM control module receives the message and, afterdecrypting the message if needed, determines that it is a call requestrather than a regular text message. It is noted that the encryptionitself may trigger the determination that the received instant messageis not simply a text message. Although not shown, if the IM controlmodule determines that the received instant message is a regular textmessage of the kind supported by the third party IM system 2502, it willtreat the instant message as simply what it is (i.e., a text message)and display it for the user of the endpoint 106. However, as the instantmessage contains a call request in the present example, the IM controlmodule will extract the information contained in the instant message andwill not display the message to the user. In step 2614, the endpoint 106sends an instant message to the endpoint 104 approving the call request.This response message may also be encrypted.

In step 2616, the endpoints 104 and 106 determine a route to be used forthe media leg of the call. Although the public, private, and relayroutes described previously are used in FIG. 26A for purposes ofillustration, the route for the media leg may be determined in otherways and may include other routes that are external to the third partyIM system 2502. It is understood that the media leg is outside of thethird party IM system 2502 and the third party IM system 2502 has nocontrol over the media leg.

In step 2618, the endpoint 104 sends a message using an extended RTPmessage sent via the media route to the endpoint 106 to start the mediaflow. Signaling messages between the endpoints 104 and 106 following theinitial signaling messages (i.e., the messages of steps 2610 and 2614)may be sent via the third party IM system 2502 and/or the mediaroute(s). In the present example, the signaling messages are sent viathe media route(s) as RTP messages that are extended to carry desiredinformation. There may be different extended RTP messages to performdifferent functions, such as “start flow,” “stop flow,” “pause,”“resume” or “restart,” “ok,” “end call” or “end flow,” and any otherdesired message types. In the present example, a stop flow messagediffers from an end flow message in that the stop flow message indicatesthat the flow is to be stopped temporarily (e.g., put on hold), whilethe end flow message indicates that the flow is to be terminated.

These extended RTP signaling messages use the media channel to bypassthe third party IM system 2502. This outside route avoids flooding thethird party IM system 2502 with the relatively high number of messagesthat may be needed for call setup and call maintenance. It is understoodthat the third party IM system 2502 may be used as the only signalingchannel in some embodiments, although instant messages carrying textcommands or other commands would replace the extended RTP messages ofthe present example. Furthermore, it is understood that other mediaprotocols than RTP may be used to carry signaling information and thatRTP messages are used to provide an example of such messages.

In step 2620, the endpoint 106 sends an OK message to the endpoint 104using an extended RTP message sent via the media route. For purposes ofexample, the call request is for a streaming audio/video call thatstreams audio/video information one-way from the endpoint 106 to theendpoint 104. If the audio/video were to also stream from the endpoint104 to the endpoint 106, as it would for a two-way audio/video call, theendpoint 106 would also send a start flow message to the endpoint 104.

In step 2622, the endpoints 104 and 106 are engaged in the call. Asdescribed above, signaling for the call in the present example uses themedia route(s) with corresponding media messages (e.g., extended RTPmessages), while signaling in other embodiments may use instant messagespassed through the third party IM system 2502. Media for the call usesthe media route(s) outside of the third party IM system 2502 (e.g., oneor more of the private, public, and relay routes). In the presentexample, all information (both signaling and media) carried on the mediaroute is encrypted. Encryption of any signaling information carried viathe third party IM system 2502 may occur as described previously.

It is understood that many messages may be exchanged during the timeperiod covered by step 2622. For example, although not shown, theendpoint 104 may send a pause message and then, at a later time, aresume message. The endpoint 106 may respond to these messages bypausing and then resuming the audio/video stream. Accordingly, using theextended RTP messages, the endpoints 104 and 106 may exert control overthe call. Although not shown, one or more other endpoints may beincluded in the call (e.g., a conference call) and the signaling mayalso handle the addition and/or removal of the other endpoint(s).

In step 2624, when the endpoint 104 wants to stop the media flow, theendpoint 104 sends a stop flow message to the endpoint 106 via the mediaroute. In step 2626, the endpoint 106 sends an OK message to theendpoint 104 via the media route. In step 2628, the endpoint 104 sendsan end flow message to the endpoint 106 to break down the media leg andfinish the call. In step 2630, the endpoint 106 sends an end flowmessage or another message, such as an OK message, to the endpoint 104.This ends the call. After the call is ended, the media leg(s) areterminated and the endpoints 104 and 106 may continue to send instantmessages through the third party IM system 2502.

It is understood that various steps may occur in a different order thanshown in FIG. 26A. For example, one or both of the endpoints 104 and 106may obtain the reflector address information after logging in to thethird party IM system 2502. In some embodiments, an endpoint may notobtain the reflector information until needed (e.g., until a call isplaced that may use the relay route). Furthermore, although not shown,some steps may occur repeatedly. For example, step 2612 may occur eachtime one of the endpoints 104 and 106 receives an instant message viathe third party IM system 2502. Additional steps of encrypting anddecrypting may occur each time an instant message that is not a normaltext message is sent and received via the third party IM system 2502 inembodiments where encryption is used.

Accordingly, an audio/video call or another type of call may beestablished using the third party IM system 2502 as an initial signalingchannel. This allows an outside service provider to provide services,such as streaming video, to users of the third party IM system 2502without needed access to proprietary interfaces of the third party IMsystem 2502. Furthermore, it allows the outside service provider toprovide services that may not be available on the third party IM system2502. For example, if the third party IM system 2502 does not providevideo on demand to its users, the outside service provider may do sousing the instant messaging signaling and separate media leg(s)described above.

Referring to FIG. 26B, a state diagram illustrates one embodiment of astate machine 2650 that may be used by the endpoint 104 in theenvironment of FIG. 25. In the present example, the state machine 2650may be used to control messages sent via one of the selected privateroute 1902, public route 1904, and relay route 1906, but it isunderstood that the state machine 2650 may be associated with any routeused by the endpoint 104. The state machine 2650 is used herein toillustrate basic state machine changes that may occur to control RTPmessaging within the endpoint 104 and may not reflect an actualimplementation within an endpoint. Furthermore, the state machine 2650in the present example may be used to control the messaging for a singleone of the private, public, and relay routes. Accordingly, each routemay be associated with its own state machine and these state machinesmay be running on the endpoint 104 simultaneously to handle themessaging on their respective routes.

The state machine 2650 has six states in the present example: an IDLEFLOW state 2652, an INIT FLOW state 2654, a TIMEOUT FLOW state 2656, aRECONFIRM FLOW state 2658, an ACTIVE FLOW state 2660, and a KEEPALIVEFLOW state 2662. The IDLE FLOW state 2652 and the ACTIVE FLOW state 2660are operating states (indicated by double concentric circles) and theINIT FLOW state 2654, TIMEOUT FLOW state 2656, RECONFIRM FLOW state2658, and KEEPALIVE FLOW state 2662 are transitional states (indicatedby a single circle).

The state machine 2650 is initially in the IDLE FLOW state 2652. Thestate machine 2650 remains in the IDLE FLOW state 2652 while nomessaging is occurring on its corresponding route. When the endpoint 104initiates a message sequence, it sends an RTP flow initializationmessage on the private route 1902, public route 1904, and relay route1906 as described previously with respect to step 2202 of FIG. 22. Forpurposes of example, the state machine 2650 is associated with thepublic route 1904. The flow initialization message transitions the statemachine 2650 from the IDLE FLOW state 2652 to the INIT FLOW state 2654.

If the endpoint 104 receives an end flow message while in the INIT FLOWstate 2654, the state machine 2650 transitions back to the IDLE FLOWstate 2652. The state machine 2650 remains in the IDLE FLOW state 2652until a message is sent or received on the public route 1904.

While waiting for the response while in the INIT FLOW state 2654, thestate machine 2650 transitions to the TIMEOUT FLOW state 2656. The statemachine 2650 then transitions from the TIMEOUT FLOW state 2656 back tothe INIT FLOW state 2654 if still within a timeout period or if theperiod is extended. The transitions between the INIT FLOW state 2654 andthe TIMEOUT FLOW state 2656 may occur until a timeout occurs or anotherstate transition is triggered. If a timeout occurs, the state machine2650 transitions from the TIMEOUT FLOW state 2656 to the IDLE FLOW state2652.

If the endpoint 104 receives an acknowledgement back on a differentroute (e.g., on the relay route 1906 rather than the public route 1904as determined in step 2212 of FIG. 22) while in the INIT FLOW state2654, the INIT FLOW state 2654 transitions to the RECONFIRM FLOW state2658. While in the RECONFIRM FLOW state 2658, the endpoint 104 sends aconfirmation message as described with respect to step 2214 of FIG. 22.If the response times out while the state machine 2650 is in theRECONFIRM FLOW state 2658, the state machine 2650 transitions to theTIMEOUT FLOW state 2656. If the endpoint 104 receives an end flowmessage while in the RECONFIRM FLOW state 2658, the state machine 2650transitions to the IDLE FLOW state 2652. If the endpoint 104 receives anacknowledgement on the same route while in the RECONFIRM FLOW state2658, the state machine 2650 transitions to the ACTIVE FLOW state 2660.If the endpoint 104 receives a stop flow message while in the RECONFIRMFLOW state 2658, the state machine 2650 transitions to the KEEPALIVEFLOW state 2662.

If the endpoint 104 receives an acknowledgement back on the same routewhile in the INIT FLOW state 2654, the INIT FLOW state 2654 transitionsto the ACTIVE FLOW state 2610. While in the ACTIVE FLOW state 2610, theendpoint 104 sends and receives call messages for a call. The statemachine 2650 remains in the ACTIVE FLOW state 2660 until a message isreceived that interrupts the call. If the endpoint 104 receives an endflow message while in the ACTIVE FLOW state 5660, the state machine 2650transitions to the IDLE FLOW state 2652. If the endpoint 104 receives astop flow message while in the ACTIVE FLOW state 5660, the state machine2650 transitions to the KEEPALIVE FLOW state 2662.

If the endpoint 104 receives a stop flow message while in the INIT FLOWstate 2654, the state machine 2650 transitions to the KEEPALIVE FLOWstate 2662. While in the KEEPALIVE FLOW state 2662, the endpoint 104will send keep alive messages to the endpoint 106 to keep the connectionopen (e.g., to maintain a pinhole through a firewall) as described withrespect to step 2222 of FIG. 22. If the endpoint 104 receives a startflow message while in the KEEPALIVE FLOW state 2662, the state machine2650 transitions to the ACTIVE FLOW state 2660. If the endpoint 104receives an end flow message while in the KEEPALIVE FLOW state 2662, thestate machine 2650 transitions to the IDLE FLOW state 2652.

Referring to FIG. 27, a flow chart illustrates one embodiment of amethod 2700 that may be used by the endpoint 104 to request a call inthe environment of FIG. 25. In the present example, the endpoint 104 isa friend of the endpoint 106 within the third party IM system 2502.Although the call is an audio/video call in the present example, it isunderstood that it can be any type of call that can be handled by theendpoints 104 and 106.

In step 2702, the endpoint 104 obtains address information for thereflector 1002. Although shown as the first step of the method 2700,step 2702 may occur at any time prior to the need for the addressinformation (e.g., prior to step 2708). In step 2704, the endpoint 104logs into the third party IM system 2502.

In step 2706, the endpoint 104 receives input representing a callrequest from a user of the endpoint 104. For example, the user may diala number associated with the endpoint 106, select the endpoint 106 froma menu or list, or otherwise indicate that the user would like to placethe call to the endpoint 106. In the present embodiment, the endpoint104 recognizes the call request as a request for a call to a client thatis currently logged into the third party IM system 2502. In other words,the call request does not identify the endpoint portion of the endpoint106 as the destination, but instead identifies the IM client 2510 as thedestination. In the present embodiment, the endpoint 104 has noknowledge of the endpoint 106 and is not aware that the endpoint 106 hasendpoint functionality. Instead, the endpoint 104 views the endpoint 106only as the IM client 2510 and knows that the IM client 2510 is loggedinto the third party IM system 2502. Accordingly, the call request isviewed by the endpoint 104 as a request to a client in the third partyIM system 2502. It is understood that, in other embodiments, theendpoint 104 may be aware that the IM client 2510 is associated with theendpoint 106 and is therefore tied to endpoint functionality.

In step 2708, the endpoint 104 creates an instant message based on thecall request. The instant message may contain header information and akey. In the present example, the header information includes public IPaddress and port information needed to communicate with the endpoint104. This public information may be obtained by a STUN request asdescribed in previous embodiments. The header information may alsoinclude private (NAT) IP address and port information if applicable. Thekey represents parameters needed for the call, such as media type,codecs, and similar information.

In step 2710, the endpoint 104 encrypts the created instant message. Asdescribed previously, this involves encrypting at least a portion of theoptional information in the instant message. In step 2712, the endpoint104 sends the encrypted instant message to the endpoint 106 via thethird party IM system 2502. In step 2714, the endpoint 104 determineswhether an answer is received from the endpoint 106 prior to theexpiration of a timeout period. The timeout period prevents the endpoint104 from waiting indefinitely. For example, if the endpoint 106 does notrespond or if the endpoint 104 is communicating with a client of thethird party IM system 2502 rather than an endpoint, the timeout periodensures that the endpoint 104 ends the call attempt. If there is noanswer, the method 2700 moves to step 2720 and ends the call. If thereis an answer, the method 2700 moves to step 2716. In step 2716, theendpoints 104 and 106 establish one or more routes for the media leg(s)of the call. For example, the routes may be selected from the public,private, and relay paths described in previous embodiments. The mediaroutes are outside of the third party IM system 2502 and are thereforenot limited to text messages.

In step 2718, the call is conducted with signaling and audio/video mediagoing through the selected routes outside of the control of the thirdparty IM system 2502. As described with respect to FIG. 26A, theendpoints 104 and/or 106 may control the call through the use ofsignaling messages such as pause, resume, and other messages. In otherembodiments, at least some of the signaling may occur through the thirdparty IM system 2502 using encrypted instant messages. In step 2720, thecall ends.

Referring to FIG. 28, a flow chart illustrates one embodiment of amethod 2800 that may be used by the endpoint 106 in receiving a callrequest in the environment of FIG. 25. In the present example, theendpoint 106 is a friend of the endpoint 104 within the third party IMsystem 2502. Although the call is an audio/video call in the presentexample, it is understood that it can be any type of call that can behandled by the endpoints 104 and 106.

In step 2802, the endpoint 106 obtains address information for thereflector 1002. Although shown as the first step of the method 2800,step 2802 may occur at any time prior to the need for the addressinformation (e.g., prior to step 2816). In step 2804, the endpoint 106logs into the third party IM system 2502. In step 2806, the endpoint 106receives an encrypted instant message and decrypts the instant messagein step 2808. In step 2810, the endpoint 106 identifies the instantmessage as a request for a call and not a regular instant message. It isunderstood that step 2810 may be combined with step 2806 in that thereceipt of an encrypted instant message may be recognized as a callrequest rather than a regular instant message.

In step 2612, the endpoint 106 extracts information from the decryptedinstant message, such as the address information of the endpoint 104 andany call parameters inserted into the message by the endpoint 104. Instep 2614, the endpoint 106 determines whether the call request is to beaccepted. For example, the endpoint 106 may display a message to promptuser feedback (e.g., answer or reject the call request) or the endpoint106 may accept or reject the message based on criteria set forth in aconfiguration file (e.g., automatically accept the call request if fromthe endpoint 106). If the call request is not accepted, the method 2800ends. If the call request is accepted, the method 2800 continues to step2816.

In step 2816, the endpoint 106 sends a response message to the endpoint104 via the third party IM system 2502. The response message may beencrypted prior to sending. As described previously, this involvesencrypting at least a portion of the optional information in the instantmessage. In step 2818, the endpoints 104 and 106 establish one or moreroutes for the media leg(s) of the call. For example, the routes may beselected from the public, private, and relay paths described in previousembodiments. The media routes are outside of the third party IM system2502 and are therefore not limited to text messages.

In step 2820, the call is conducted with signaling and audio/video mediagoing through the selected routes outside of the control of the thirdparty IM system 2502. As described with respect to FIG. 26A, theendpoints 104 and/or 106 may control the call through the use ofsignaling messages such as pause, resume, and other messages. In otherembodiments, at least some of the signaling may occur through the thirdparty IM system 2502 using encrypted instant messages. In step 2822, thecall ends.

Referring to FIG. 29, one embodiment of a computer system 2900 isillustrated. The computer system 2900 is one possible example of asystem component or device such as an endpoint or an access server. Thecomputer system 2900 may include a central processing unit (“CPU”) 2902,a memory unit 2904, an input/output (“I/O”) device 2906, and a networkinterface 2908. The components 2902, 2904, 2906, and 2908 areinterconnected by a transport system (e.g., a bus) 2910. A power supply(PS) 2912 may provide power to components of the computer system 2900,such as the CPU 2902 and memory unit 2904. It is understood that thecomputer system 2900 may be differently configured and that each of thelisted components may actually represent several different components.For example, the CPU 2902 may actually represent a multi-processor or adistributed processing system; the memory unit 2904 may includedifferent levels of cache memory, main memory, hard disks, and remotestorage locations; the I/O device 2906 may include monitors, keyboards,and the like; and the network interface 2908 may include one or morenetwork cards providing one or more wired and/or wireless connections tothe packet network 108 (FIG. 1). Therefore, a wide range of flexibilityis anticipated in the configuration of the computer system 2900.

The computer system 2900 may use any operating system (or multipleoperating systems), including various versions of operating systemsprovided by Microsoft (such as WINDOWS), Apple (such as Mac OS X), UNIX,and LINUX, and may include operating systems specifically developed forhandheld devices, personal computers, and servers depending on the useof the computer system 2900. The operating system, as well as otherinstructions (e.g., for the endpoint engine 252 of FIG. 2 if anendpoint), may be stored in the memory unit 2904 and executed by theprocessor 2902. For example, if the computer system 2900 is the endpoint104, the memory unit 2904 may include instructions for endpointfunctionality and for the IM client 2508. For example, the instructionsmay include instructions for sending and receiving messages via both apeer-to-peer hybrid network and the third party IM system 2502 toaccomplish the method 2700 of FIG. 27 and/or the method 2800 of FIG. 28.

In another embodiment, a method for using a third party instant messagesystem as a signaling channel comprises receiving, by a first endpointcapable of operating within the third party instant message system andalso capable of operating within a peer-to-peer hybrid network that isseparate from the third party instant message system, user inputrepresenting a call request for a call to be placed to a second endpointthat is also capable of operating within the third party instant messagesystem and the peer-to-peer hybrid network; creating, by the firstendpoint, a call request message containing address information of thefirst endpoint, wherein the call request message is an instant messageable to sent via the third party instant message system; sending, by thefirst endpoint, the call request message to the second endpoint via thethird party instant messaging system; receiving, by the first endpoint,a response message from the second endpoint via the third party instantmessage system, wherein the response message contains addressinformation of the second endpoint; establishing, by the first endpoint,at least one media route with the second endpoint to carry media for thecall, wherein the at least one media route is established using thepeer-to-peer hybrid network and not the third party instant messagesystem; and conducting the call by the first endpoint with the secondendpoint, wherein the conducting includes sending and receiving, by thefirst endpoint, media information for the call via the at least onemedia route, and sending and receiving, by the first endpoint, signalinginformation for the call. Sending and receiving the signalinginformation while conducting the call may include sending and receivingthe signaling information using media packets transferred via the atleast one media route. The media packets may be real-time transportprotocol (RTP) packets created by the first endpoint. Sending andreceiving the signaling information while conducting the call mayinclude sending and receiving the signaling information using instantmessages transferred via the third party instant message system. Themethod may further comprise encrypting, by the first endpoint, at leasta portion of the call request message prior to sending the call requestmessage to the second endpoint. The method may further compriseobtaining, by the first endpoint, address information for a reflector inthe peer-to-peer hybrid network and using, by the first endpoint, thereflector to establish the at least one media route. The method mayfurther comprise logging in to the peer-to-peer network before obtainingthe address information for the reflector. The call request message mayfurther include at least one parameter for the call. The method mayfurther comprise determining, by the first endpoint, whether a timeouthas occurred after sending the call request message to the secondendpoint, wherein the timeout prevents the first endpoint from waitingindefinitely for the response message from the second endpoint if thesecond endpoint is not an endpoint within the peer-to-peer hybridnetwork.

In yet another embodiment, a method for using a third party instantmessage system as a signaling channel comprises receiving, by a firstendpoint capable of operating within the third party instant messagesystem and also capable of operating within a peer-to-peer hybridnetwork that is separate from the third party instant message system, acall request message for a call from a second endpoint that is alsocapable of operating within the third party instant message system andthe peer-to-peer hybrid network, wherein the call request message is aninstant message received via the third party instant message system;identifying, by the first endpoint, that the call request messagecontains a request for the call prior to sending the call requestmessage to a user display associated with the third party instantmessage system, wherein the identifying prevents the call requestmessage from being displayed to the user; extracting address informationof the second endpoint from the call request message; sending, by thefirst endpoint, a response message to the second endpoint, wherein theresponse message contains address information of the first endpoint;establishing, by the first endpoint, at least one media route with thesecond endpoint to carry media for the call, wherein the at least onemedia route is established using the peer-to-peer hybrid network and notthe third party instant message system; and conducting the call by thefirst endpoint with the second endpoint, wherein the conducting includessending and receiving, by the first endpoint, media information for thecall via the at least one media route, and sending and receiving, by thefirst endpoint, signaling information for the call. The sending andreceiving the signaling information while conducting the call mayinclude sending and receiving the signaling information using mediapackets transferred via the at least one media route. The media packetsmay be real-time transport protocol (RTP) packets created by the firstendpoint. The sending and receiving the signaling information whileconducting the call may include sending and receiving the signalinginformation using instant messages transferred via the third partyinstant message system. The method may further comprise decrypting, bythe first endpoint, at least a portion of the call request message priorto extracting the address information. The method may further compriseobtaining, by the first endpoint, address information for a reflector inthe peer-to-peer hybrid network and using, by the first endpoint, thereflector to establish the at least one media route. The method mayfurther comprise extracting, by the first endpoint, at least oneparameter for the call from the call request message. The method mayfurther comprise prompting, by the first endpoint, a user of the firstendpoint to accept or reject the request for the call, wherein theprompting occurs via at least one of a display visible to the user, aspeaker audible to the user, or a vibrating mechanism that can be feltby the user.

In still another embodiment, a system comprises a network interface; aprocessor coupled to the network interface; and a memory coupled to theprocessor and containing a plurality of instructions for execution bythe processor, the instructions including instructions for a firstendpoint configured to operate within a peer-to-peer hybrid network, thefirst endpoint including a client of a third party instant messagesystem that enables the first endpoint to communicate via the thirdparty instant message system, the instructions for the first endpointincluding instructions for: receiving, by the first endpoint, user inputrepresenting a call request for a call to be placed to a second endpointthat is also capable of operating within the third party instant messagesystem and the peer-to-peer hybrid network; creating, by the firstendpoint, a call request message containing address information of thefirst endpoint, wherein the call request message is an instant messageable to sent via the third party instant message system; sending, by thefirst endpoint, the call request message to the second endpoint via thethird party instant messaging system; receiving, by the first endpoint,a response message from the second endpoint via the third party instantmessage system, wherein the response message contains addressinformation of the second endpoint; establishing, by the first endpoint,at least one media route with the second endpoint to carry media for thecall, wherein the at least one media route is established using thepeer-to-peer hybrid network and not the third party instant messagesystem; and conducting the call by the first endpoint with the secondendpoint, wherein the conducting includes sending and receiving, by thefirst endpoint, media information for the call via the at least onemedia route, and sending and receiving, by the first endpoint, signalinginformation for the call. The instructions for sending and receiving thesignaling information while conducting the call may include instructionsfor sending and receiving the signaling information using media packetstransferred via the at least one media route. The media packets may bereal-time transport protocol (RTP) packets. The instructions for sendingand receiving the signaling information while conducting the call mayinclude instructions for sending and receiving the signaling informationusing instant messages transferred via the third party instant messagesystem. The system may further comprise instructions for encrypting atleast a portion of the call request message. The system may furthercomprise instructions for obtaining address information for a reflectorin the peer-to-peer hybrid network, wherein the reflector is used toestablish the at least one media route. The system may further compriseinstructions for logging in to the peer-to-peer network before obtainingthe address information for the reflector.

While the preceding description shows and describes one or moreembodiments, it will be understood by those skilled in the art thatvarious changes in form and detail may be made therein without departingfrom the spirit and scope of the present disclosure. For example,various steps illustrated within a particular sequence diagram or flowchart may be combined or further divided. In addition, steps describedin one diagram or flow chart may be incorporated into another diagram orflow chart. Some steps may be performed in an order different from thatshown and/or may overlap. Furthermore, the described functionality maybe provided by hardware and/or software, and may be distributed orcombined into a single platform. Additionally, functionality describedin a particular example may be achieved in a manner different than thatillustrated, but is still encompassed within the present disclosure.Therefore, the claims should be interpreted in a broad manner,consistent with the present disclosure.

What is claimed is:
 1. A method for using a third party instant messagesystem as a signaling channel comprising: sending, by the firstendpoint, a call request message to a second endpoint via the thirdparty instant messaging system, wherein the call request message invitesthe second endpoint to establish at least one media channel for a callwith the first endpoint within a peer-to-peer hybrid network that isseparate from the third party instant message system; receiving, by thefirst endpoint, a response message from the second endpoint via thethird party instant message system agreeing to establish the at leastone media channel; establishing, by the first endpoint, the at least onemedia channel with the second endpoint to carry media for the call,wherein the at least one media channel is established using thepeer-to-peer hybrid network and not the third party instant messagesystem; and conducting the call by the first endpoint with the secondendpoint, wherein the conducting includes sending and receiving, by thefirst endpoint, media information for the call via the at least onemedia channel, and sending and receiving, by the first endpoint,signaling information for the call.
 2. The method of claim 1 whereinsending and receiving the signaling information while conducting thecall includes sending and receiving the signaling information via the atleast one media channel.
 3. The method of claim 1 wherein sending andreceiving the signaling information while conducting the call includessending and receiving the signaling information via the third partyinstant message system.
 4. The method of claim 1 further comprisingencrypting, by the first endpoint, at least a portion of the callrequest message prior to sending the call request message to the secondendpoint.
 5. The method of claim 4 wherein any messages sent by thefirst endpoint to the second endpoint via the third party instantmessage system that are not signaling messages for the call are notencrypted.
 6. The method of claim 1 wherein the call request messageincludes address information of the first endpoint needed by the secondendpoint to establish the at least one media channel via thepeer-to-peer hybrid network.
 7. The method of claim 6 wherein theresponse message includes address information of the second endpointneeded by the first endpoint to establish the at least one media channelvia the peer-to-peer hybrid network.
 8. A method for using a third partyinstant message system as a signaling channel comprising: receiving, bya first endpoint via the third party instant message system, a callrequest message for a call from a second endpoint, wherein the callrequest message invites the first endpoint to establish at least onemedia channel for a call with the second endpoint within a peer-to-peerhybrid network that is separate from the third party instant messagesystem; sending, by the first endpoint, a response message to the secondendpoint via the third party instant message system agreeing toestablish the at least one media channel; establishing, by the firstendpoint, the at least one media channel with the second endpoint tocarry media for the call, wherein the at least one media channel isestablished using the peer-to-peer hybrid network and not the thirdparty instant message system; and conducting the call by the firstendpoint with the second endpoint, wherein the conducting includessending and receiving, by the first endpoint, media information for thecall via the at least one media channel, and sending and receiving, bythe first endpoint, signaling information for the call.
 9. The method ofclaim 8 wherein sending and receiving the signaling information whileconducting the call includes sending and receiving the signalinginformation via the at least one media channel.
 10. The method of claim8 wherein sending and receiving the signaling information whileconducting the call includes sending and receiving the signalinginformation via the third party instant message system.
 11. The methodof claim 8 further comprising encrypting, by the first endpoint, atleast a portion of the response message prior to sending the responsemessage to the second endpoint.
 12. The method of claim 11 wherein anymessages sent by the first endpoint to the second endpoint via the thirdparty instant message system that are not signaling messages for thecall are not encrypted.
 13. The method of claim 8 wherein the callrequest message includes address information of the second endpointneeded by the first endpoint to establish the at least one media channelvia the peer-to-peer hybrid network.
 14. The method of claim 13 whereinthe response message includes address information of the first endpointneeded by the second endpoint to establish the at least one mediachannel via the peer-to-peer hybrid network.
 15. A system comprising: anetwork interface; a processor coupled to the network interface; and amemory coupled to the processor and containing a plurality ofinstructions for execution by the processor, the instructions includinginstructions for a first endpoint configured to operate within apeer-to-peer hybrid network, the first endpoint including a client of athird party instant message system that enables the first endpoint tocommunicate via the third party instant message system, the instructionsfor the first endpoint including instructions for: sending a callrequest message to a second endpoint via the third party instantmessaging system, wherein the call request message invites the secondendpoint to establish at least one media channel for a call with thefirst endpoint within a peer-to-peer hybrid network that is separatefrom the third party instant message system; receiving a responsemessage from the second endpoint via the third party instant messagesystem agreeing to establish the at least one media channel;establishing the at least one media channel with the second endpoint tocarry media for the call, wherein the at least one media channel isestablished using the peer-to-peer hybrid network and not the thirdparty instant message system; and conducting the call with the secondendpoint, wherein the conducting includes sending and receiving, by thefirst endpoint, media information for the call via the at least onemedia channel, and sending and receiving, by the first endpoint,signaling information for the call.
 16. The system of claim 15 whereinthe instructions for sending and receiving the signaling informationwhile conducting the call include instructions for sending and receivingthe signaling information via the at least one media channel.
 17. Thesystem of claim 15 wherein the instructions for sending and receivingthe signaling information while conducting the call include instructionsfor sending and receiving the signaling information via the third partyinstant message system.
 18. A system comprising: a network interface; aprocessor coupled to the network interface; and a memory coupled to theprocessor and containing a plurality of instructions for execution bythe processor, the instructions including instructions for a firstendpoint configured to operate within a peer-to-peer hybrid network, thefirst endpoint including a client of a third party instant messagesystem that enables the first endpoint to communicate via the thirdparty instant message system, the instructions for the first endpointincluding instructions for: receiving via the third party instantmessage system, a call request message for a call from a secondendpoint, wherein the call request message invites the first endpoint toestablish at least one media channel for a call with the second endpointwithin a peer-to-peer hybrid network that is separate from the thirdparty instant message system; sending a response message to the secondendpoint via the third party instant message system agreeing toestablish the at least one media channel; establishing the at least onemedia channel with the second endpoint to carry media for the call,wherein the at least one media channel is established using thepeer-to-peer hybrid network and not the third party instant messagesystem; and conducting the call with the second endpoint, wherein theconducting includes sending and receiving, by the first endpoint, mediainformation for the call via the at least one media channel, and sendingand receiving, by the first endpoint, signaling information for thecall.
 19. The system of claim 18 wherein the instructions for sendingand receiving the signaling information while conducting the callinclude instructions for sending and receiving the signaling informationvia the at least one media channel.
 20. The system of claim 18 whereinthe instructions for sending and receiving the signaling informationwhile conducting the call include instructions for sending and receivingthe signaling information via the third party instant message system.